059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
Size

5.8MB
MD5

54412b71ea7131807f7deb790419b599
SHA1

601bd3f38ad8ef4a40ec3f7a05335ff65c8d24e9
SHA256

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5
SHA512

3622035afd091ef8fbfc79b56c8a05c81470c6ca01c1ab3d596f6d3acffcb5d725484ed0e321dbed4900b6f4811316234266a72cc2849eba218114f464d786c3
SSDEEP

98304:Dab1BTT+LfX6NrYkF3kxM4P5wPgyAqohJ8NJxmwAlicL3dRgGjCI/tx:DM9TH9F3OM4POIyAqglD3dRgG+I

Score

10^/10

defense_evasion evasion execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exeupdater.exe

description	pid	process	target process
PID 4152 created 3304	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	Explorer.EXE
PID 4152 created 3304	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	Explorer.EXE
PID 4152 created 3304	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	Explorer.EXE
PID 4152 created 3304	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	Explorer.EXE
PID 4152 created 3304	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE
PID 1428 created 3304	1428	updater.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1672 powershell.exe
2092 powershell.exe
3132 powershell.exe
4160 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1428 updater.exe

pid	process
1672	powershell.exe
2092	powershell.exe
3132	powershell.exe
4160	powershell.exe

pid	process
1428	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

svchost.exepowershell.exepowershell.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\ChromeSetup	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exeupdater.exe

description	pid	process	target process
PID 4152 set thread context of 424	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	dialer.exe
PID 1428 set thread context of 4600	1428	updater.exe	dialer.exe
PID 1428 set thread context of 3148	1428	updater.exe	dialer.exe
PID 1428 set thread context of 1788	1428	updater.exe	dialer.exe

Drops file in Program Files directory 2 IoCs

Processes:

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4840 sc.exe
1200 sc.exe
4332 sc.exe
1736 sc.exe
1252 sc.exe
1288 sc.exe
640 sc.exe
1620 sc.exe
1392 sc.exe
3600 sc.exe

pid	process
4840	sc.exe
1200	sc.exe
4332	sc.exe
1736	sc.exe
1252	sc.exe
1288	sc.exe
640	sc.exe
1620	sc.exe
1392	sc.exe
3600	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 15 Sep 2024 09:51:05 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1726393864"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exepowershell.exedialer.exepowershell.exe

pid	process
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
1672	powershell.exe
1672	powershell.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
3132	powershell.exe
3132	powershell.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
3132	powershell.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
3132	powershell.exe
424	dialer.exe
424	dialer.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe
424	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exedialer.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	424	dialer.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe
Token: SeLoadDriverPrivilege	2656	svchost.exe
Token: SeSystemtimePrivilege	2656	svchost.exe
Token: SeBackupPrivilege	2656	svchost.exe
Token: SeRestorePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeSystemEnvironmentPrivilege	2656	svchost.exe
Token: SeUndockPrivilege	2656	svchost.exe
Token: SeManageVolumePrivilege	2656	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe
Token: SeLoadDriverPrivilege	2656	svchost.exe
Token: SeSystemtimePrivilege	2656	svchost.exe
Token: SeBackupPrivilege	2656	svchost.exe
Token: SeRestorePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeSystemEnvironmentPrivilege	2656	svchost.exe
Token: SeUndockPrivilege	2656	svchost.exe
Token: SeManageVolumePrivilege	2656	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe
Token: SeLoadDriverPrivilege	2656	svchost.exe
Token: SeSystemtimePrivilege	2656	svchost.exe
Token: SeBackupPrivilege	2656	svchost.exe
Token: SeRestorePrivilege	2656	svchost.exe
Token: SeShutdownPrivilege	2656	svchost.exe
Token: SeSystemEnvironmentPrivilege	2656	svchost.exe
Token: SeUndockPrivilege	2656	svchost.exe
Token: SeManageVolumePrivilege	2656	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2656	svchost.exe
Token: SeIncreaseQuotaPrivilege	2656	svchost.exe
Token: SeSecurityPrivilege	2656	svchost.exe
Token: SeTakeOwnershipPrivilege	2656	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exedialer.exe

description	pid	process	target process
PID 780 wrote to memory of 640	780	cmd.exe	sc.exe
PID 780 wrote to memory of 640	780	cmd.exe	sc.exe
PID 780 wrote to memory of 4840	780	cmd.exe	sc.exe
PID 780 wrote to memory of 4840	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1200	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1200	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1620	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1620	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1392	780	cmd.exe	sc.exe
PID 780 wrote to memory of 1392	780	cmd.exe	sc.exe
PID 4152 wrote to memory of 424	4152	059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe	dialer.exe
PID 424 wrote to memory of 632	424	dialer.exe	winlogon.exe
PID 424 wrote to memory of 680	424	dialer.exe	lsass.exe
PID 424 wrote to memory of 992	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 460	424	dialer.exe	dwm.exe
PID 424 wrote to memory of 428	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1036	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1044	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1092	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1156	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1208	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1240	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1336	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1416	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1472	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1524	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1568	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1580	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1632	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1744	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1776	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1864	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 1876	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2032	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2040	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2000	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2056	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2192	424	dialer.exe	spoolsv.exe
PID 424 wrote to memory of 2320	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2340	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2488	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2496	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2524	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2556	424	dialer.exe	sysmon.exe
PID 424 wrote to memory of 2572	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2644	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2656	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2692	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 2864	424	dialer.exe	sihost.exe
PID 424 wrote to memory of 3020	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 3112	424	dialer.exe	unsecapp.exe
PID 424 wrote to memory of 3304	424	dialer.exe	Explorer.EXE
PID 424 wrote to memory of 3448	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 3456	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 3832	424	dialer.exe	RuntimeBroker.exe
PID 424 wrote to memory of 3904	424	dialer.exe	RuntimeBroker.exe
PID 424 wrote to memory of 3944	424	dialer.exe	DllHost.exe
PID 424 wrote to memory of 3992	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 4256	424	dialer.exe	DllHost.exe
PID 424 wrote to memory of 4412	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 3584	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 4388	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 760	424	dialer.exe	svchost.exe
PID 424 wrote to memory of 5068	424	dialer.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:460

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1208
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  PID:1428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1524
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2524

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3020

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe
  "C:\Users\Admin\AppData\Local\Temp\059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:640
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4840
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1200
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1392
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mhlrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeSetup' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeSetup' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1692
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "ChromeSetup"
  2⤵
  PID:3316
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2092
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4408
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:804
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3600
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1252
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4332
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1736
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1288
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#mhlrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeSetup' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeSetup' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4160
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4164
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3148
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:5068

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2468

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.8MB

MD5
54412b71ea7131807f7deb790419b599

SHA1
601bd3f38ad8ef4a40ec3f7a05335ff65c8d24e9

SHA256
059bd08260905484376ecf615422f332c0bb85c50d46bd72db2ef582cd416ee5

SHA512
3622035afd091ef8fbfc79b56c8a05c81470c6ca01c1ab3d596f6d3acffcb5d725484ed0e321dbed4900b6f4811316234266a72cc2849eba218114f464d786c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm4ntzrv.3ps.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
memory/424-19-0x00007FFB4F160000-0x00007FFB4F369000-memory.dmp

Filesize
2.0MB

Download
memory/424-20-0x00007FFB4E870000-0x00007FFB4E92D000-memory.dmp

Filesize
756KB

Download
memory/428-39-0x0000029F23160000-0x0000029F23187000-memory.dmp

Filesize
156KB

Download
memory/428-40-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/460-31-0x000001CBA0D10000-0x000001CBA0D37000-memory.dmp

Filesize
156KB

Download
memory/460-32-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/632-22-0x000001ED92CA0000-0x000001ED92CC7000-memory.dmp

Filesize
156KB

Download
memory/632-21-0x000001ED92C70000-0x000001ED92C91000-memory.dmp

Filesize
132KB

Download
memory/632-23-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/680-26-0x0000025236680000-0x00000252366A7000-memory.dmp

Filesize
156KB

Download
memory/680-27-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/992-34-0x0000018AA9460000-0x0000018AA9487000-memory.dmp

Filesize
156KB

Download
memory/992-35-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1036-43-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1036-42-0x00000130EE460000-0x00000130EE487000-memory.dmp

Filesize
156KB

Download
memory/1044-46-0x000001819C590000-0x000001819C5B7000-memory.dmp

Filesize
156KB

Download
memory/1044-47-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1092-54-0x0000013B96390000-0x0000013B963B7000-memory.dmp

Filesize
156KB

Download
memory/1092-55-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1156-57-0x0000015F68960000-0x0000015F68987000-memory.dmp

Filesize
156KB

Download
memory/1156-58-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1208-60-0x000002707C510000-0x000002707C537000-memory.dmp

Filesize
156KB

Download
memory/1208-61-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1240-63-0x000002435EA60000-0x000002435EA87000-memory.dmp

Filesize
156KB

Download
memory/1240-64-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1336-67-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1336-66-0x0000011115F60000-0x0000011115F87000-memory.dmp

Filesize
156KB

Download
memory/1416-76-0x000001F4FB9B0000-0x000001F4FB9D7000-memory.dmp

Filesize
156KB

Download
memory/1416-77-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1472-80-0x00007FFB0F1F0000-0x00007FFB0F200000-memory.dmp

Filesize
64KB

Download
memory/1472-79-0x0000025041FB0000-0x0000025041FD7000-memory.dmp

Filesize
156KB

Download
memory/1672-13-0x00007FFB2E310000-0x00007FFB2EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/1672-17-0x00007FFB2E310000-0x00007FFB2EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/1672-14-0x00007FFB2E310000-0x00007FFB2EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/1672-1-0x00007FFB2E313000-0x00007FFB2E315000-memory.dmp

Filesize
8KB

Download
memory/1672-12-0x00007FFB2E310000-0x00007FFB2EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/1672-11-0x00007FFB2E310000-0x00007FFB2EDD2000-memory.dmp

Filesize
10.8MB

Download
memory/1672-7-0x000001A4FC400000-0x000001A4FC422000-memory.dmp

Filesize
136KB

Download
memory/2092-321-0x000001BE26CB0000-0x000001BE26CCC000-memory.dmp

Filesize
112KB

Download
memory/2092-320-0x000001BE26750000-0x000001BE2675A000-memory.dmp

Filesize
40KB

Download
memory/2092-319-0x000001BE269A0000-0x000001BE26A53000-memory.dmp

Filesize
716KB

Download
memory/2092-322-0x000001BE26760000-0x000001BE2676A000-memory.dmp

Filesize
40KB

Download
memory/2092-323-0x000001BE26CD0000-0x000001BE26CEA000-memory.dmp

Filesize
104KB

Download
memory/2092-324-0x000001BE26770000-0x000001BE26778000-memory.dmp

Filesize
32KB

Download
memory/2092-325-0x000001BE26780000-0x000001BE26786000-memory.dmp

Filesize
24KB

Download
memory/2092-326-0x000001BE26CF0000-0x000001BE26CFA000-memory.dmp

Filesize
40KB

Download
memory/2092-318-0x000001BE26730000-0x000001BE2674C000-memory.dmp

Filesize
112KB

Download
memory/4152-0-0x00007FF674490000-0x00007FF674A5E000-memory.dmp

Filesize
5.8MB

Download
memory/4160-523-0x00000267B78A0000-0x00000267B7953000-memory.dmp

Filesize
716KB

Download